OpenCALEA Home

OpenCALEA-lite

• What is OpenCALEA-lite?
• Which is better?
• Dependencies (Required System Libraries)
• OpenCALEA-lite roadmap
• Changelog
• Known Issues
• Download OpenCALEA-lite

What is OpenCALEA-lite?

OpenCALEA-lite is a rewrite of the original OpenCALEA project. OpenCALEA-lite is an attempt to return to the origianl idea of OpenCALEA: To provide an easy-to-use, stable, and lightweight mechanism for CALEA compliance. For more information, see the README.

Which is better?

Really that's up to the individual. There are several factors to consider:

• OpenCALEA-lite has been tested internally (at Merit), if not extensively and should be stable.
• OpenCALEA-lite was designed with ease of use in mind, and should be easier to set up, use, and deploy on a network.
• Development of OpenCALEA-lite is ongoing (by Merit staff) and updates will likely be released at least through the end of the year

Dependencies

OpenCALEA-lite depends rather heavily on GLib. Currently, it requires GLib >= 2.8; if there is any compelling need, this requirement could (relatively) easily be reduced to GLib 2.0, please email the developers if you would like us to prioritize this.

• GLib >= 2.8 -- Required by all OCL components
• pthreads -- Required by all OCL components
• libpcap -- Required by "tap", "kerbTap", and "listener"*
• OPT: readline / ncurses -- The controller will utilize these if available, it degrades nicely elsewise

OpenCALEA-lite roadmap

The following features are planned for future releases of OpenCALEA-lite, these ideas are intended to be implemented eventually, although they are by no means gaurenteed to be implemented in the next (or any) release, nor are they listed in any particular order.

• NEXT: Bugfix hunt to eliminate any / all possible hangs.
• GUI (likely gtk) for controller
• Automated restart procedure for interrupted tap sessions
• A Kerberos watchdog that will start and stop tap sessions based on user login/logout. This would be in addition to (likely an option) the standard kerberos watch.
• Device grouping
• Allow manual setting of TAP_ID, possibly hashing strings for better readability
• More advanced email notifications
• Authentification between the various processes
• Encryption of tap data
• Ncurses based controller environment
• Interprocess keepalive channels - see Known Issues for more detail
• Fix all known issues...

Changelog

• Version 0.2.1 --> 0.3
  • Split out communication into a separate "ocl communication library". This should eliminate any hangs in inter-process communication; this should be a big step towards stability. Hopefully, there should be no need to kill any of the ocl processes for any reason anymore.
• Version 0.2.0 --> 0.2.1
  • Added client functionality to the listener.
  • Controller appends device types to hostnames, should be a nice usability improvement.
• Version 0.1.5 --> 0.2.0
  • Added kerbTap, a new tap program that sniffs out authentication / ticket grants by user name
  • Several stability / interface patches
• Version 0.1.4 --> 0.1.5
  • GNU Readline library support added. Command history and tab completion are now possible.
  • Hostname abstraction is supported. Execute commands on taps by hostname instead of "Tap ID"
  • Basic scheduling functionality is now possible, set up start / end times for taps.
  • Primitive email notifications via sendmail of scheduled/started/stopped taps.
  • The README needs work, after which a version bump to 0.2 is scheduled.
• Version 0.1.3 --> 0.1.4
  • Drastically improved help / README
  • Most commands can now utilize the 'all' keyword to execuate across many taps
  • Improved automated renaming protocol when a file is found to exist
  • A few small bugfixes
• Version 0.1.2 --> 0.1.3
  • Updated automake to pull sample *.ini files into make dist
  • Check running directory and ../etc for *.ini files (local first)
  • Added output on listener startup
• Version 0.1.1 --> 0.1.2
  • Bugfix: = --> == in vlan parsing
  • Bugfix: Improved glib version checking (help req's 2.14, everthing else only 2.6, allow use in range)
• Version 0.1 --> 0.1.1
  • Implemented a real update mechanism, including automatic background updates based on tap progress.
  • Added a packet count to controller's list command (semi-automatic updates).
  • Added support to strip vlan headers (-v, for now).
  • Fixed the README to accurately represent the program.

Known Issues

• If a listener process dies unexpectedly, they are removed from the tap processes list of running taps, but the controller's list is not automatically updated, instead the "update" command must be issued to ensure that tap data is fresh.
• In the same vein, a tap will not be aware of a listener that has died unexpectedly until it tries to send a packet. That is to say, if you start a tap at 8AM, kill the listener at 9AM, and the tap's filter sees no traffic until 10AM, for the whole window between 9AM and 10AM, the tap (and therefore the controller watching this tap) will think it is connected, when really it is not. A keepalive protocol is in the works, but it will have to be delicately implemented, as I do not believe there is a keepalive mechanism of any kind in the CALEA standard - likely it will be an a separate channel from running taps, and unique between each tap / listener pair, not each tap session. This will likely not be implemented for a while, but is on the back burner.
• As of v0.3, there should be no compilation warnings. It should be noted that '-fno-strict-aliasing' is in place, due to a known bug in GLib surrounding the usage of GStaticMutexes. If there are any warnings, they are a bug - please submit them as such [pat dot pannuto at gmail dot com].
• The controller (only) will build fine without libpcap installed, however the configure file will not let you build anything without libpcap. At some point, the configure script will be made more flexible to allow for building of individual elements.

Download

Currently no precompiled binaries are available (sorry), OpenCALEA-lite (OCL) utilizes the automake build system for ease of build. Simply download and unzip the source, go into the directory and type "./configure", followed by "make". Provided no errors occurred (if any do - please email ppannuto@merit.edu), enter the src directory where the "controller", "tap", and "listener" programs should be built. You may test the software by simply runnning each program on your local machine - they do not take any arguments. The controller is interactive, for help simply type "help". To configure OCL, edit the *.ini files in the etc directory. See the README for a sample usage.

A word of warning: be sure that (especially while you are testing) your filter is restrictive enough that you don't tap your ocl session, as it will begin recursively tapping - the tap will catch a packet, forward it to the listener, the tap will then catch the packet it just forwarded, which it will caputre and forward, etc.

• Version 0.3 -- 1/4/08 -- Source
• Version 0.2.1 -- 12/26/08 -- Source
• Version 0.2 -- 12/22/08 -- Source
• Version 0.1.5 -- 10/21/08 -- Source
• Version 0.1.4 -- 8/21/08 -- Source
• Version 0.1.3 -- 8/9/08 -- Source
• Version 0.1.2 -- 8/8/08 -- Source
• Version 0.1.1 -- 8/4/08 -- Source
• Version 0.1 -- 7/30/08 -- Source

© 2012 Merit Network Inc. Last edited by mgkallit