標籤:http 好的 mysq amp 代碼 stream www pass min
原文連結:http://elasticsearch.cn/article/48
Packetbeat(https://www.elastic.co/products/beats/packetbeat)
是一個開源的網路抓包與分析架構,內建了很多常見的協議解析,如HTPP、MySQL、Thrift等。但是網路通訊協定有很多,如何擴充一個自己的協議呢,本文將為您介紹如何在Packetbeat基礎上擴充實現您自己的協議。
開發環境:
1.Go語言
Packetbeat是由Go語言編寫,具有高效能和易部署的特點,有關Go語言的更多資訊請訪問:https://golang.org/。
2.Git
源碼管理,相信大家都比較熟悉了。
3.Tcpdump
*nix下的抓包分析,可選,用於調試。
4.Mac本一台
Windows太傷,不建議。
5.IDE
推薦idea,其它只要你順手都行。
這個教程給大家介紹的是編寫一個SMTP協議的擴充,SMTP就是我們發郵件使用的協議,加密的比較麻煩,為了方便,本教程使用不加密的名文傳輸的SMTP協議,預設對應連接埠是25。
A.源碼簽出
登陸Github開啟https://github.com/elastic/beats
fork後得到你自己的倉庫,比如我的:https://github.com/medcl/packetbeat
#建立相應目錄mkdir -p $GOPATH/src/github.com/elastic/ cd $GOPATH/src/github.com/elastic#簽出源碼git clone https://github.com/elastic/beats.gitcd beats#修改官方倉庫為upstream源,設定自己的倉庫為origin源git remote rename origin upstreamgit remote add origin [email protected]:medcl/packetbeat.git#擷取上遊最新的代碼,如果是剛fork的話可不用管git pull upstream master#簽出一個名為smtpbeat的分支,用於開發這個功能git checkout -b smtpbeat#切換到packetbeat模組cd packetbeat#擷取依賴資訊(mkdir -p $GOPATH/src/golang.org/x/&&cd $GOPATH/src/golang.org/x &&git clone https://github.com/golang/tools.git )go get github.com/tools/godep#編譯make
編譯出來的檔案:packetbeat就在根目錄
現在我們測試一下
修改etc/packetbeat.yml,在output下面的elasticsearch下面添加enabled: true,預設是不啟用的,另外如果你的Elasticsearch安裝了Shield,比如我的Elasticsearch的使用者名稱和密碼都是tribe_user,哦,忘了說了,我們的Elasticsearch跑在本機。
packetbeat.yml的詳細配置可參見:https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-configuration.html
output: elasticsearch: enabled: true hosts: ["localhost:9200"] username: "tribe_user" password: "tribe_user"
現在可以運行命令啟動packetbeat了,預設會監聽所有內建的協議,如HTTP、DNS等。
./packetbeat -e -c etc/packetbeat.yml -d "publish"
介紹一下常用的參數:
-N dry run模式,不實際output儲存日誌
-e 控制台輸出調試日誌
-d 僅顯示對應logger的日誌
好的,我們開啟幾個網頁,控制台會有相應的輸出,如下:
2015/12/29 14:24:39.965037 preprocess.go:37: DBG Start Preprocessing2015/12/29 14:24:39.965366 publish.go:98: DBG Publish: { "@timestamp": "2015-12-29T14:24:39.709Z", "beat": { "hostname": "medcls-MacBook.local", "name": "medcls-MacBook.local" }, "bytes_in": 31, "bytes_out": 115, "client_ip": "192.168.3.10", "client_port": 53669, "client_proc": "", "client_server": "", "count": 1, "direction": "out", "dns": { "additionals_count": 0, "answers": [ { "class": "IN", "data": "www.a.shifen.com", "name": "sp2.baidu.com", "ttl": 333, "type": "CNAME" } ], "answers_count": 1, "authorities": [ { "class": "IN", "data": "ns1.a.shifen.com", "expire": 86400, "minimum": 3600, "name": "a.shifen.com", "refresh": 5, "retry": 5, "rname": "baidu_dns_master.baidu.com", "serial": 1512240003, "ttl": 12, "type": "SOA" } ], "authorities_count": 1, "flags": { "authoritative": false, "recursion_allowed": true, "recursion_desired": true, "truncated_response": false }, "id": 7435, "op_code": "QUERY", "question": { "class": "IN", "name": "sp2.baidu.com", "type": "AAAA" }, "response_code": "NOERROR" }, "ip": "192.168.3.1", "method": "QUERY", "port": 53, "proc": "", "query": "class IN, type AAAA, sp2.baidu.com", "resource": "sp2.baidu.com", "responsetime": 18, "server": "", "status": "OK", "transport": "udp", "type": "dns"}2015/12/29 14:24:39.965774 preprocess.go:94: DBG Forward preprocessed events2015/12/29 14:24:39.965796 async.go:42: DBG async forward to outputers (1)2015/12/29 14:24:40.099973 output.go:103: DBG output worker: publish 2 events
然後Elasticsearch應該就會有資料進去了,我們看看:
curl http://localhost:9200/_cat/indices\?pretty\=true -u tribe_user:tribe_useryellow open packetbeat-2015.12.29 5 1 135 0 561.2kb 561.2kb
至此,packetbeat源碼的build成功,我們整個開發流程已經跑通了,下一節正式開始介紹SMTP協議的擴充。
Packetbeat協議擴充開發教程 一
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
