Ticket #151 (new new_feature)

Opened 6 months ago

Add Support For Programmatic Network Packet Capture

Reported by: kindlund Assigned to: kindlund
Priority: highest Milestone: 1.1
Component: HoneyClient::Manager Version: none
Severity: none Keywords: manager, vm, packet, capture, network, pcap
Cc:

Description

Rather than performing out-of-band bulk packet captures, configure the Manager to automatically capture relevant network traffic from each clone, in order to detect when a compromise occurs. This data should be in PCAP format and should be eventually provided to the Drone web service, referenced by the fingerprint generated.

Net::Packet::Dump looks promising, but currently has a hardcoded snaplen of 1514. I'm trying to contact the author to make this snaplen configurable (65535).

Here's a possible (untested) patch to Dump.pm (Net::Packet::Dump v3.25)

  • Dump.pm

    old new  
    3535   noLayerWipe 
    3636   mode 
    3737   keepTimestamp 
     38   snaplen 
    3839   _pid 
    3940   _pcapd 
    4041   _dumper 
     
    8283      frames         => [], 
    8384      mode           => NP_DUMP_MODE_ONLINE, 
    8485      keepTimestamp  => 0, 
     86      snaplen        => 1514, 
    8587      _sDataAwaiting => 0, 
    8688      _sName         => "netpacket-tmp-$$.@{[getRandom32bitsInt()]}.storable", 
    8789      @_, 
     
    219221   my $err; 
    220222   my $pd = Net::Pcap::open_live( 
    221223      $self->[$__dev], 
    222       1514
     224      $self->[$__snaplen]
    223225      $self->[$__promisc], 
    224226      1000, 
    225227      \$err, 
     
    641643      file          => 'live.pcap', 
    642644      filter        => 'tcp', 
    643645      promisc       => 1, 
     646      snaplen       => 1514, 
    644647      noStore       => 1, 
    645648      keepTimestamp => 1, 
    646649      unlinkOnClean => 0, 
     
    757760 
    758761If you want to capture in promiscuous mode, set it to 1. Default to 0. 
    759762 
     763=item B<snaplen> 
     764 
     765If you want to capture a different snaplen, set it a number. Default to 1514. 
     766 
    760767=item B<link> 
    761768 
    762769This attribute tells which datalink type is used for .pcap files. 
     
    829836 
    830837promisc:         0 
    831838 
     839snaplen:         1514 
     840 
    832841timeoutOnNext:   3 
    833842 
    834843isRunning:       0 

Attachments

Add/Change #151 (Add Support For Programmatic Network Packet Capture)




Change Properties
Action