ttylog

package
v0.0.0-...-6a41818 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 18, 2024 License: Apache-2.0 Imports: 14 Imported by: 0

README

The ttylog package is used to capture I/O from interactive sessions.

Description of UML logging

Adapted from this documentation.

User Mode Linux has/had a logging format that could be used for TTY logging of systems running as honeypots.

Logs were captured in files with records that had headers of the following form, followed by len bytes of data.

struct tty_log_buf {
	int what;
	unsigned long tty;
	int len;
	int direction;
	unsigned long sec;
	unsigned long usec;
};
  • what specified which action the log is about. It is one of the following:
    • 1 - open a TTY
    • 2 - close a TTY
    • 3 - write to a TTY
  • tty is an opaque identifier for the TTY.
  • len number of bytes following the header corresponding to the data associated with the header.
    • If the what was 1 (open), the bytes following are the name of the parent TTY.
    • If the what was 3 (write), the bytes following are the data written to the TTY.
  • direction indicates whether the dat awas read or written from the TTY.
    • 1 is read
    • 2 is write
  • sec is the seconds part of a UNIX timestamp.
  • usec is the microseconds part of a UNIX timestamp.

Documentation

Overview

Package ttylog contains utilities to log and play back TTY sessions.

Index

Constants

View Source 
const AsciicastFileExt = "cast"

AsciicastFileExt holds the suggested file extension for asciicast files.

Variables

View Source 
var (
	FD_name = map[int32]string{
		0: "STDIN",
		1: "STDOUT",
		2: "STDERR",
	}
	FD_value = map[string]int32{
		"STDIN":  0,
		"STDOUT": 1,
		"STDERR": 2,
	}
)

Enum value maps for FD.

View Source 
var File_ttylog_proto protoreflect.FileDescriptor

Functions

func Replay 

func Replay(recording LogSource, callback LogSink) (err error)

Replay reads a stream of events to a callback.

Types

type AsciicastLogSource 

type AsciicastLogSource struct {
	// contains filtered or unexported fields
}

func NewAsciicastLogSource 

func NewAsciicastLogSource(r io.Reader) *AsciicastLogSource

NewAsciicastLogSource reads log events from an Asciicast formatted file.

func (*AsciicastLogSource) Next 

func (log *AsciicastLogSource) Next() (*TTYLogEntry, error)

Next gets the next log entry, it returns io.EOF if there are no more.

type Close 

type Close struct {
	Fd FD `protobuf:"varint,1,opt,name=fd,proto3,enum=FD" json:"fd,omitempty"`
	// contains filtered or unexported fields
}

Closure of an FD.

func (*Close) Descriptor deprecated 

func (*Close) Descriptor() ([]byte, []int)

Deprecated: Use Close.ProtoReflect.Descriptor instead.

func (*Close) GetFd 

func (x *Close) GetFd() FD

func (*Close) ProtoMessage 

func (*Close) ProtoMessage()

func (*Close) ProtoReflect 

func (x *Close) ProtoReflect() protoreflect.Message

func (*Close) Reset 

func (x *Close) Reset()

func (*Close) String 

func (x *Close) String() string

type FD 

type FD int32

The FD that the event was written to. 

const (
	FD_STDIN  FD = 0
	FD_STDOUT FD = 1
	FD_STDERR FD = 2
)

func (FD) Descriptor 

func (FD) Descriptor() protoreflect.EnumDescriptor

func (FD) Enum 

func (x FD) Enum() *FD

func (FD) EnumDescriptor deprecated 

func (FD) EnumDescriptor() ([]byte, []int)

Deprecated: Use FD.Descriptor instead.

func (FD) Number 

func (x FD) Number() protoreflect.EnumNumber

func (FD) String 

func (x FD) String() string

func (FD) Type 

func (FD) Type() protoreflect.EnumType

type IO 

type IO struct {
	Fd   FD     `protobuf:"varint,1,opt,name=fd,proto3,enum=FD" json:"fd,omitempty"`
	Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"`
	// contains filtered or unexported fields
}

I/O event on an FD.

func (*IO) Descriptor deprecated 

func (*IO) Descriptor() ([]byte, []int)

Deprecated: Use IO.ProtoReflect.Descriptor instead.

func (*IO) GetData 

func (x *IO) GetData() []byte

func (*IO) GetFd 

func (x *IO) GetFd() FD

func (*IO) ProtoMessage 

func (*IO) ProtoMessage()

func (*IO) ProtoReflect 

func (x *IO) ProtoReflect() protoreflect.Message

func (*IO) Reset 

func (x *IO) Reset()

func (*IO) String 

func (x *IO) String() string

type LogSink 

type LogSink func(t *TTYLogEntry) error

LogSink receives log events.

func NewAsciicastLogSink 

func NewAsciicastLogSink(w io.Writer) LogSink

NewAsciicastLogSink creates a LogSink compatible with the asciicast v2 format.

See: https://github.com/asciinema/asciinema/blob/develop/doc/asciicast-v2.md

func NewClientOutput 

func NewClientOutput(w io.Writer) LogSink

NewClientOutput writes stdout and stderr to the given writer

func NewKippoQuirksAdapter 

func NewKippoQuirksAdapter(next LogSink) LogSink

NewKippoQuirksAdapter fixes quirks in log events that come from Kippo.

func NewRealTimePlayback 

func NewRealTimePlayback(maxSleep time.Duration, next LogSink) LogSink

NewRealTimePlayback plays back the results in real-time. If maxSleep > 0, it's used as the maximum duration to pause.

func NewUMLLogSink 

func NewUMLLogSink(w io.Writer) LogSink

NewUMLLogSink creates a LogSink compatible with the user-mode-linux TTY.

type LogSource 

type LogSource interface {
	// Next fetches the next available log entry. It reutrns io.EOF if the source
	// has no more log entries.
	Next() (*TTYLogEntry, error)
}

LogSource adapts log readers.

type MockFdDir 

type MockFdDir int

type MockFdOp 

type MockFdOp int

type Recorder 

type Recorder struct {
	*vos.VIOAdapter
	// contains filtered or unexported fields
}

func NewRecorder 

func NewRecorder(toWrap vos.VIO, output LogSink) *Recorder

NewRecorder creates a logger that forwards all events to output.

type TTYLogEntry 

type TTYLogEntry struct {

	// Timestamp of the log event in micros since the UNIX epoch.
	TimestampMicros int64 `protobuf:"varint,1,opt,name=timestamp_micros,json=timestampMicros,proto3" json:"timestamp_micros,omitempty"`
	// Types that are assignable to Event:
	//	*TTYLogEntry_Io
	//	*TTYLogEntry_Close
	Event isTTYLogEntry_Event `protobuf_oneof:"event"`
	// contains filtered or unexported fields
}

func (*TTYLogEntry) Descriptor deprecated 

func (*TTYLogEntry) Descriptor() ([]byte, []int)

Deprecated: Use TTYLogEntry.ProtoReflect.Descriptor instead.

func (*TTYLogEntry) GetClose 

func (x *TTYLogEntry) GetClose() *Close

func (*TTYLogEntry) GetEvent 

func (m *TTYLogEntry) GetEvent() isTTYLogEntry_Event

func (*TTYLogEntry) GetIo 

func (x *TTYLogEntry) GetIo() *IO

func (*TTYLogEntry) GetTimestampMicros 

func (x *TTYLogEntry) GetTimestampMicros() int64

func (*TTYLogEntry) ProtoMessage 

func (*TTYLogEntry) ProtoMessage()

func (*TTYLogEntry) ProtoReflect 

func (x *TTYLogEntry) ProtoReflect() protoreflect.Message

func (*TTYLogEntry) Reset 

func (x *TTYLogEntry) Reset()

func (*TTYLogEntry) String 

func (x *TTYLogEntry) String() string

type TTYLogEntry_Close 

type TTYLogEntry_Close struct {
	Close *Close `protobuf:"bytes,3,opt,name=close,proto3,oneof"`
}

type TTYLogEntry_Io 

type TTYLogEntry_Io struct {
	Io *IO `protobuf:"bytes,2,opt,name=io,proto3,oneof"`
}

type UMLLogSource 

type UMLLogSource struct {
	// contains filtered or unexported fields
}

UMLLogSource parses log events from a user-mode-linux/Kippo formatted file.

func NewUMLLogSource 

func NewUMLLogSource(r io.Reader) *UMLLogSource

NewUMLLogSource reads log events from a user-mode-linux/Kippo formatted file.

func (*UMLLogSource) Next 

func (log *UMLLogSource) Next() (*TTYLogEntry, error)

Next gets the next log entry, it returns io.EOF if there are no more.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.