Extract network traces from Samba log files
log2pcap [-h] [-q] [logfile] [pcap_file]
This tool is part of the samba(7) suite.
log2pcap reads in a samba log file and generates a pcap file (readable by most sniffers, such as ethereal or tcpdump) based on the packet dumps in the log file.
The log file must have a log level of at least 5 to get the SMB header/parameters right, 10 to get the first 512 data bytes of the packet and 50 to get the whole packet.
If this parameter is specified the output file will be a hex dump, in a format that is readable by the text2pcap utility.
Be quiet. No warning messages about missing or incomplete data will be given.
Samba log file. log2pcap will try to read the log from stdin if the log file is not specified.
Name of the output file to write the pcap (or hexdump) data to. If this argument is not specified, output data will be written to stdout.
Print a summary of command line options.
Extract all network traffic from all samba log files:
$ log2pcap < /var/log/alternatives.log /var/log/alternatives.log.1 /var/log/alternatives.log.2.gz /var/log/apt /var/log/aptitude /var/log/aptitude.1.gz /var/log/aptitude.2.gz /var/log/auth.log /var/log/auth.log.1 /var/log/auth.log.2.gz /var/log/auth.log.3.gz /var/log/auth.log.4.gz /var/log/boot.log /var/log/boot-sav /var/log/bootstrap.log /var/log/btmp /var/log/btmp.1 /var/log/ConsoleKit /var/log/cups /var/log/dmesg /var/log/dmesg.0 /var/log/dmesg.1.gz /var/log/dmesg.2.gz /var/log/dmesg.3.gz /var/log/dmesg.4.gz /var/log/dpkg.log /var/log/dpkg.log.1 /var/log/dpkg.log.2.gz /var/log/faillog /var/log/fontconfig.log /var/log/fsck /var/log/gpu-manager.log /var/log/hp /var/log/installer /var/log/kern.log /var/log/kern.log.1 /var/log/kern.log.2.gz /var/log/kern.log.3.gz /var/log/kern.log.4.gz /var/log/lastlog /var/log/mdm /var/log/mintsystem.log /var/log/pm-powersave.log /var/log/pm-powersave.log.1 /var/log/pm-powersave.log.2.gz /var/log/pm-suspend.log /var/log/pm-suspend.log.1 /var/log/pm-suspend.log.2.gz /var/log/pycentral.log /var/log/samba /var/log/speech-dispatcher /var/log/syslog /var/log/syslog.1 /var/log/syslog.2.gz /var/log/syslog.3.gz /var/log/syslog.4.gz /var/log/syslog.5.gz /var/log/syslog.6.gz /var/log/syslog.7.gz /var/log/sysstat /var/log/teamviewer /var/log/tor /var/log/udev /var/log/unattended-upgrades /var/log/upstart /var/log/wtmp /var/log/wtmp.1 /var/log/Xorg.0.log /var/log/Xorg.0.log.old > trace.pcap
Convert to pcap using text2pcap:
$ log2pcap -h samba.log | text2pcap -T 139,139 - trace.pcap
This man page is correct for version 3 of the Samba suite.
Only SMB data is extracted from the samba logs, no LDAP, NetBIOS lookup or other data.
The generated TCP and IP headers don't contain a valid checksum.
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
This manpage was written by Jelmer Vernooij.