-
Notifications
You must be signed in to change notification settings - Fork 2
EXA8 Stenographer
Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets on the EXA8.
Installing Stenographer on an embedded system with limited capabilities can be tedious. A full exa8-rootfs image is provided for the EXA8 already including a working instance of stenographer
The Stenographer configuration is by default stored in /etc/stenographer/config and defined the number of Capture Threads and for each, the storage location and free disk percentage settings.
{
"Threads": [
{ "PacketsDirectory": "/mnt/sda/data/stenographer/PKT0"
, "IndexDirectory": "/mnt/sda/data/stenographer/IDX0"
, "MaxDirectoryFiles": 30000
, "DiskFreePercentage": 10
}
]
, "StenotypePath": "/usr/bin/stenotype"
, "Interface": "br0"
, "Port": 1234
, "Host": "127.0.0.1"
, "Flags": ["--filesize_mb=16", "--aiops=16", "--seccomp=none" ]
, "CertPath": "/etc/stenographer/certs"
}
Stenographer provides built-in console utility stenoread to read data from its API. Additional helpers can be found on the stenotool repository or using the stenoread.js npm package.
Stenographer can be managed as a regular service on the EXA8:
systemctl start stenographer
systemctl status stenographer
systemctl stop stenographer
Rotation is defined by the available disk storage in the underlying stenotype configuration. Once the free disk quota is exceeded, older files and indices will be rotated and removed progressively.
By default, Stenographer on the EXA8 stores captured data and indices to path /mnt/sda/data/stenographer/. In order to cleanup, stop the stenographer service and remove all existing data manually:
rm -rf /mnt/sda/data/stenographer/IDX0/*
rm -rf /mnt/sda/data/stenographer/PKT0/*