Provided by: samba-vfs-modules_4.3.11+dfsg-0ubuntu0.16.04.34_amd64 bug

NAME

       vfs_smb_traffic_analyzer - log Samba VFS read and write operations through a socket to a
       helper application

SYNOPSIS

       vfs objects = smb_traffic_analyzer

DESCRIPTION

       This VFS module is part of the samba(7) suite.

       The vfs_smb_traffic_analyzer VFS module logs client file operations on a Samba server and
       sends this data over a socket to a helper program (in the following the "Receiver"), which
       feeds a SQL database. More information on the helper programs can be obtained from the
       homepage of the project at: http://holger123.wordpress.com/smb-traffic-analyzer/ Since the
       VFS module depends on a receiver that is doing something with the data, it is evolving in
       it's development. Therefore, the module works with different protocol versions, and the
       receiver has to be able to decode the protocol that is used. The protocol version 1 was
       introduced to Samba at September 25, 2008. It was a very simple protocol, supporting only
       a small list of VFS operations, and had several drawbacks. The protocol version 2 is a try
       to solve the problems version 1 had while at the same time adding new features. With the
       release of Samba 4.0.0, the module will run protocol version 2 by default.

PROTOCOL VERSION 1 DOCUMENTATION

       vfs_smb_traffic_analyzer protocol version 1 is aware of the following VFS operations:
           write
           pwrite
           read
           pread

       vfs_smb_traffic_analyzer sends the following data in a fixed format separated by a comma
       through either an internet or a unix domain socket:

                BYTES|USER|DOMAIN|READ/WRITE|SHARE|FILENAME|TIMESTAMP

       Description of the records:

       •   BYTES - the length in bytes of the VFS operation

       •   USER - the user who initiated the operation

       •   DOMAIN - the domain of the user

       •   READ/WRITE - either "W" for a write operation or "R" for read

       •   SHARE - the name of the share on which the VFS operation occurred

       •   FILENAME - the name of the file that was used by the VFS operation

       •   TIMESTAMP - a timestamp, formatted as "yyyy-mm-dd hh-mm-ss.ms" indicating when the VFS
           operation occurred

       •   IP - The IP Address (v4 or v6) of the client machine that initiated the VFS operation.

       This module is stackable.

DRAWBACKS OF PROTOCOL VERSION 1

       Several drawbacks have been seen with protocol version 1 over time.

       •   Problematic parsing - Protocol version 1 uses hyphen and comma to separate blocks of
           data. Once there is a filename with a hyphen, you will run into problems because the
           receiver decodes the data in a wrong way.

       •   Insecure network transfer - Protocol version 1 sends all it's data as plaintext over
           the network.

       •   Limited set of supported VFS operations - Protocol version 1 supports only four VFS
           operations.

       •   No subreleases of the protocol - Protocol version 1 is fixed on it's version, making
           it unable to introduce new features or bugfixes through compatible sub-releases.

VERSION 2 OF THE PROTOCOL

       Protocol version 2 is an approach to solve the problems introduced with protcol v1. From
       the users perspective, the following changes are most prominent among other enhancements:

       •   The data from the module may be send encrypted, with a key stored in secrets.tdb. The
           Receiver then has to use the same key. The module does AES block encryption over the
           data to send.

       •   The module now can identify itself against the receiver with a sub-release number,
           where the receiver may run with a different sub-release number than the module.
           However, as long as both run on the V2.x protocol, the receiver will not crash, even
           if the module uses features only implemented in the newer subrelease. Ultimately, if
           the module uses a new feature from a newer subrelease, and the receiver runs an older
           protocol, it is just ignoring the functionality. Of course it is best to have both the
           receiver and the module running the same subrelease of the protocol.

       •   The parsing problems of protocol V1 can no longer happen, because V2 is marshalling
           the data packages in a proper way.

       •   The module now potentially has the ability to create data on every VFS function. As of
           protocol V2.0, there is support for 8 VFS functions, namely write,read,pread,pwrite,
           rename,chdir,mkdir and rmdir. Supporting more VFS functions is one of the targets for
           the upcoming sub-releases.

       To enable protocol V2, the protocol_version vfs option has to be used (see OPTIONS).

OPTIONS WITH PROTOCOL V1 AND V2.X

       smb_traffic_analyzer:mode = STRING
           If STRING matches to "unix_domain_socket", the module will use a unix domain socket
           located at /var/tmp/stadsocket, if STRING contains an different string or is not
           defined, the module will use an internet domain socket for data transfer.

       smb_traffic_analyzer:host = STRING
           The module will send the data to the system named with the hostname STRING.

       smb_traffic_analyzer:port = STRING
           The module will send the data using the TCP port given in STRING.

       smb_traffic_analyzer:anonymize_prefix = STRING
           The module will replace the user names with a prefix given by STRING and a simple hash
           number. In version 2.x of the protocol, the users SID will also be anonymized.

       smb_traffic_analyzer:total_anonymization = STRING
           If STRING matches to 'yes', the module will replace any user name with the string
           given by the option smb_traffic_analyzer:anonymize_prefix, without generating an
           additional hash number. This means that any transfer data will be mapped to a single
           user, leading to a total anonymization of user related data. In version 2.x of the
           protocol, the users SID will also be anonymized.

       smb_traffic_analyzer:protocol_version = STRING
           If STRING matches to V1, the module will use version 1 of the protocol. If STRING is
           not given, the module will use version 2 of the protocol, which is the default.

EXAMPLES

       Running protocol V2 on share "example_share", using an internet socket.

                [example_share]
                path = /data/example
                vfs_objects = smb_traffic_analyzer
                smb_traffic_analyzer:host = examplehost
                smb_traffic_analyzer:port = 3491

       The module running on share "example_share", using a unix domain socket

                [example_share]
                path = /data/example
                vfs objects = smb_traffic_analyzer
                smb_traffic_analyzer:mode = unix_domain_socket

       The module running on share "example_share", using an internet socket, connecting to host
       "examplehost" on port 3491.

                [example_share]
                path = /data/example
                vfs objects = smb_traffic_analyzer
                smb_traffic_analyzer:host = examplehost
                smb_traffic_analyzer:port = 3491

       The module running on share "example_share", using an internet socket, connecting to host
       "examplehost" on port 3491, anonymizing user names with the prefix "User".

                [example_share]
                path = /data/example
                vfs objects = smb_traffic_analyzer
                smb_traffic_analyzer:host = examplehost
                smb_traffic_analyzer:port = 3491
                smb_traffic_analyzer:anonymize_prefix = User

VERSION

       This man page is correct for version 3.3 of the Samba suite.

AUTHOR

       The original Samba software and related utilities were created by Andrew Tridgell. Samba
       is now developed by the Samba Team as an Open Source project similar to the way the Linux
       kernel is developed.

       The original version of the VFS module and the helper tools were created by Holger
       Hetterich.