Wire Transform

The wireTransform utility is a demonstration of a generic wire ‘transform’ concept, in which the input is taken from a wire subscription, transformed into a different format, and either published onto a different wire, or written to STDOUT.

Note that the source and target wires can be located on different Volts and located anywhere on the internet.

Currently the only supported transform is from tcpdump text output to a protobuf format matching the definition below, and wrapped in a ProtobufSyncWrapper message suitable for input in to the protoDbSync utility.

syntax = "proto3";


package tranforms;


message TCPDumpPacket {
  string timestamp = 1;
  string source_mac_address = 2;
  string source_manufacturer_id = 3;
  bool is_broadcast = 4;
  bool is_arp = 5;
  string target_mac_address = 6;
  string target_manufacturer_id = 7;
  string ether_type = 8;
  string unknown_1 = 9;
  int32 length = 10;
  string source_address = 11;
  string target_address = 12;
  string payload = 13;
}

Usage

Begin by dumping the tcpdump command output to a wire:

Terminal window
tcpdump <filter> | volt wire -w @tcpdump-text

The wireTransform utility is then used (potentially on a different machine from that running the tcpdump command) to transform the incoming text format tcpdump output (on wire @tcpdump-text) into a binary protobuf format, and then publish this transformed output onto the @tcpdump-binary wire:

Terminal window
./wireTransform --source-config=source.config.json -s @tcpdump-text --target-config=target.config.json -t @tcpdump-binary

If both the source and target wires are on the same Volt you can omit the --target-config option.

To write the transformed output to STDOUT rather than another wire, simply omit the -t switch:

Terminal window
./wireTransform --source-config=source.config.json -s @tcpdump-text

The format of the configuration files is a plain Volt client connection format as described here.

protoDbSync integration

The wireTransform utility transforms textual tcpdump data into a format compatible with the protoDbSync utility.

In order to make the output available to protoDbSync, use the volt logger command. In the example below, we run wireTransform so that it writes the transformed data to STDOUT, and then redirect that output into the volt logger command.

./wireTransform --source-config=source.config.json -s @tcpdump-text | ./volt logger -c tcpdump.logger.json

The volt logger command will generate the appropriate format files required by the protoDbSync utility, according to the configuration contained in the tcpdump.logger.json file, an example of which is shown below.

{
  "logger": {
    "headerId": "tcpdump-logger",
    "headers": [
      {
        "messageName": "TCPDumpPacket",
        "messageProto": "syntax = \"proto3\";\n\npackage tranforms;\n\nmessage TCPDumpPacket {\n  string timestamp = 1;\n  string source_mac_address = 2;\n  string source_manufacturer_id = 3;\n  bool is_broadcast = 4;\n  bool is_arp = 5;\n  string target_mac_address = 6;\n  string target_manufacturer_id = 7;\n  string ether_type = 8;\n  string unknown_1 = 9;\n  int32 length = 10;\n  string source_address = 11;\n  string target_address = 12;\n  string payload = 13;\n}\n",
        "name": "header0",
        "tableName": "tcpdump"
      }
    ],
    "logFileExtension": "pdat",
    "logFilePath": "./logs",
    "logFilePrefix": "tcpdump-log-",
    "logFileSize": 64000
  }
}

See the protoDbSync utility for more details.