Home > Linux Stuff, smb traffic analyzer > SMB Traffic Analyzer 1.0 released

SMB Traffic Analyzer 1.0 released

Finally, after about a year of development (with longer pauses, a newborn daughter and many other things …), a complete rewrite, and several major design changes, the development team celebrates the release of SMB Traffic Analyzer 1.0. We think the project has now matured enough to come up with a first version, and to be used as a base for our future work.

Overview slide of SMB Traffic Analyzer

For those who hear about SMB Traffic Analyzer (we call it SMBTA in the following) for the first time, the basic idea of SMBTA is to collect meta data about read and write processes on the services of a Samba server. Out of this data, statistics about the usage of the network can be created. While other solutions for this are listening on the network card and capture the SMB(2) protocol, SMBTA is different in that it implements a module for the Virtual File System Layer (VFS) of Samba, and making this data directly available in an SQL storage. Check it’s homepage for more information!

A typical Samba share configured for SMB Traffic Analyzer.

This 1.0 release is for the first time employing the new protocol of the traffic_analyzer VFS module in Samba. After we made a lot of experience with the drawbacks of the first implementation of the module, it was basically rewritten, while keeping the compatibility to the old protocol. Among many new features  the highlights are:

  • 128Bit AES encryption support
  • extendable protocol ready to add new features
  • log much more details, such as the SID of users
  • allow for 2 modes of anonymization

After the module was accepted upstream on samba.org, we began to develop applications making use of the data the module provides.¬† By this time, most priority was given on smbtad, the daemon program receiving the data from the VFS module. It is optimized for the new protocol and creates a Sqlite driven database from the data it receives. It’s task is to be fast at accepting data from the VFS module while allowing client programs to query the data.

The last_activity function of smbtaquery, showing the last activities of an object on log file form.

The usage function of smbtaquery shows the average usage of an object throughout the day.

The user doesn’t have to get into the details of the SQL storage that is being created. That’s what the client programs are for. There is smbtaquery, a command line program featuring a simple interpreter making it easy to perform typical tasks on the database aiming for producing statistics. It already supports a good number of functions, from simply measuring the totals of an object (an object might be a user, a share, a domain, a file) to a usage graph showing the average usage of an object over 24 hours. It is networked, so it can be run from any system that is able to reach the smbtad daemon program. It’s a simplified way of producing top ten lists of the most pressing objects, getting the last activities of an object and much more.

The smbtamonitor program, monitoring an object in real time.

Another end user application of SMBTA is smbtamonitor. It allows for monitoring an object in real-time, by employing some special features in smbtad, allowing it to no longer rely on the database as the data source, instead directly process the data received by the VFS module. Any instance of smbtamonitor is watching exactly one object, and the user can run as many smbtamonitor processes as wanted. Currently, smbtamonitor is showing the total sums of an object and the data throughput per second of a given object. Like smbtaquery, the program is networked, and a command line client at the moment, utilizing the ncurses library.

Furthermore, the SMB Traffic Analyzer software includes the smbtatorture program, a simple test program aiming to produce realistic office data traffic on two shares, and capable of recording it’s own run, so that exactly the same run can be reproduced. smbtatorture plays an essential role for performance measurement with SMBTA enabled services during development. It is also wonderful for long time testing of the software chain.

Last but not least, we worked on an asciidoc based documentation, trying to capture information on all the components of SMBTA. It can be found as HTML in the smbtatools package, and the most current version is also available here.

SMB Traffic Analyzer 1.0 can be downloaded from the Download Page.

This release is for sure not free of bugs, nor it is complete in any way. But it is a first step, and for the development team a place to build on, that’s exactly what this release is for. Don’t hesitate to provide us feedback, comments or bug reports, just contact us!

About these ads
  1. Andreas Schneider
    October 28, 2010 at 7:21 am

    Congratulations Holger, keep up your great work!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

%d bloggers like this: