Add a systemd Journal Export extcap.

Add an sdjournal extcap, which reads journal entries using the
sd-journal API and dumps them as journal Export Format records.

Change-Id: I17ccfa88ab5d053c16c869cd26e580d84022502e
Reviewed-on: https://code.wireshark.org/review/29479
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Anders Broman <a.broman58@gmail.com>

1 files changed, 145 insertions, 0 deletions

diff --git a/doc/sdjournal.pod b/doc/sdjournal.pod
new file mode 100644
index 0000000000..37738bda10
--- /dev/null
+++ b/doc/sdjournal.pod
@@ -0,0 +1,145 @@
+=begin man
+
+=encoding utf8
+
+=end man
+
+=head1 NAME
+
+sdjournal - Provide an interface to capture systemd journal entries.
+
+=head1 SYNOPSIS
+
+B<sdjournal>
+S<[ B<--help> ]>
+S<[ B<--version> ]>
+S<[ B<--extcap-interfaces> ]>
+S<[ B<--extcap-dlts> ]>
+S<[ B<--extcap-interface>=E<lt>interfaceE<gt> ]>
+S<[ B<--extcap-config> ]>
+S<[ B<--capture> ]>
+S<[ B<--fifo>=E<lt>path to file or pipeE<gt> ]>
+S<[ B<--start-from>=E<lt>entry countE<gt> ]>
+
+=head1 DESCRIPTION
+
+B<sdjournal> is an extcap tool that allows one to capture systemd
+journal entries. It can be used to correlate system events with
+network traffic.
+
+Supported interfaces:
+
+=over 4
+
+=item 1. sdjournal
+
+=back
+
+=head1 OPTIONS
+
+=over 4
+
+=item --help
+
+Print program arguments.
+
+=item --version
+
+Print program version.
+
+=item --extcap-interfaces
+
+List available interfaces.
+
+=item --extcap-interface=E<lt>interfaceE<gt>
+
+Use specified interfaces.
+
+=item --extcap-dlts
+
+List DLTs of specified interface.
+
+=item --extcap-config
+
+List configuration options of specified interface.
+
+=item --capture
+
+Start capturing from specified interface and write raw packet data to the location specified by --fifo.
+
+=item --fifo=E<lt>path to file or pipeE<gt>
+
+Save captured packet to file or send it through pipe.
+
+=item --start-from=E<lt>entry countE<gt>
+
+Start from the last E<lt>entry countE<gt> entries, similar to the
+"-n" or "--lines" argument for the L<tail> command. Values prefixed
+with a B<+> sign start from the beginning of the journal, otherwise
+the count starts from the end. The default value is 10. To include
+all entries use B<+0>.
+
+=back
+
+=head1 EXAMPLES
+
+To see program arguments:
+
+    sdjournal --help
+
+To see program version:
+
+    sdjournal --version
+
+To see interfaces:
+
+    sdjournal --extcap-interfaces
+
+Only one interface (sdjournal) is supported.
+
+  Output:
+    interface {value=sdjournal}{display=systemd journal capture}
+
+To see interface DLTs:
+
+    sdjournal --extcap-interface=sdjournal --extcap-dlts
+
+  Output:
+    dlt {number=147}{name=sdjournal}{display=USER0}
+
+To see interface configuration options:
+
+    sdjournal --extcap-interface=sdjournal --extcap-config
+
+  Output:
+
+    arg {number=0}{call=--start-from}{display=Starting position}{type=string}
+        {tooltip=The journal starting position. Values with a leading "+" start from the beginning, similar to the "tail" command}
+
+To capture:
+
+    sdjournal --extcap-interface=sdjournal --fifo=/tmp/sdjournal.pcap --capture
+
+To capture all entries since the system was booted:
+
+    sdjournal --extcap-interface=sdjournal --fifo=/tmp/sdjournal.pcap --capture --start-from +0
+
+NOTE: To stop capturing CTRL+C/kill/terminate application.
+
+=head1 SEE ALSO
+
+wireshark(1), tshark(1), dumpcap(1), extcap(4), tcpdump(1)
+
+=head1 NOTES
+
+B<sdjournal> is part of the B<Wireshark> distribution.  The latest version
+of B<Wireshark> can be found at L<https://www.wireshark.org>.
+
+HTML versions of the Wireshark project man pages are available at:
+L<https://www.wireshark.org/docs/man-pages>.
+
+=head1 AUTHORS
+
+  Original Author
+  -------- ------
+  Gerald Combs             <gerald[AT]wireshark.org>