HEX
Server: Apache
System: Linux vps-cdc32557.vps.ovh.ca 5.15.0-156-generic #166-Ubuntu SMP Sat Aug 9 00:02:46 UTC 2025 x86_64
User: hanode (1017)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
$ pwd: /usr/share/sysdig/chisels/
Upload Files
File: //usr/share/sysdig/chisels/udp_extract.lua
--[[
Copyright (C) 2018 Draios inc.

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License version 2 as
published by the Free Software Foundation.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.
--]]
local OUTPUT_DIR_NAME = "./udp_dump_files"

description = "This chisel parses a trace file, identifies file descriptors carrying UDP network traffic (DNS excluded) and dumps the content of each FD into a different file in the " .. OUTPUT_DIR_NAME .. " directory. Files are named after the UDP tuple they contain.";
short_description = "extract data from UDP streams to files.";
category = "I/O";

args = {}

files = {}

function mkdir(dirname)
	os.execute('mkdir ' .. dirname .. " 2> /dev/null")
	os.execute('md ' .. dirname .. " 2> nul")
end

function on_init()
	fbuf = chisel.request_field("evt.rawarg.data")
	fres = chisel.request_field("evt.rawarg.res")
	ffdname = chisel.request_field("fd.name")
	ffdtype = chisel.request_field("fd.type")

	mkdir(OUTPUT_DIR_NAME)

	sysdig.set_snaplen(16384)
	chisel.set_filter("evt.dir=< and evt.rawres>=0 and fd.l4proto=udp and evt.is_io=true")
	return true
end

function on_capture_start()
	if sysdig.is_live() then
		print("live capture not supported")
		return false
	end
	return true
end

function on_event()
	local buf = evt.field(fbuf)
	local etype = evt.get_type()
	local res = evt.field(fres)
	local fdname = evt.field(ffdname)
	local fdtype = evt.field(fdtype)
	local containername = evt.field(fcontainername)
	local is_io_read = evt.field(fis_io_read)
	local is_io_write = evt.field(fis_io_write)

	if not files[fdname] then
		file_name = OUTPUT_DIR_NAME .. "/" .. fdname
		file_name = string.gsub(file_name, ":", "_")
		file_name = string.gsub(file_name, ">", "-")
		files[fdname] = io.open(file_name, "w")
	end

	files[fdname]:write(buf)

	return true
end
@ Telegram