Tuesday, July 14, 2015

Extracting Traffic from Rolling Capture Files

Every so often I need to extract a subset of traffic from a set of rolling timestamped pcap files. One common place I do this is with Security Onion; one of the great features of SO is its full-packet-capture feature: you can easily pivot from Snort, Suricata, or Bro logs to a full packet capture view, or download the associated pcap file.

But what if you don't have an associated alert or Bro log entry? Or if you're doing pcap on some system that's not as user-friendly as Security Onion, but nonetheless supports rolling captures?

The way I usually do this is with find and xargs. Here's an example of my most common workflow, using timestamps as the filtering criteria for find:

> find . -newerct "16:07" ! -newerct "16:10" | xargs -I {} tcpdump -r {} -w /tmp/{} host 8.8.8.8
> cd /tmp
> mergecap -w merged.pcap *.pcap

Translated:
  1. Find all files in the current directory created after 16:07 but not created after 16:10. This requires GNU find 4.3.3 or later. It supports many different time and date formats.
  2. Using xargs, filter each file with the "host 8.8.8.8" BPF expression and write it to /tmp with the same filename.
  3. Merge all the .pcap files in /tmp into merged.pcap.
You can easily modify this workflow to fit other use cases.

8 comments:

theFlakes said...

Caught this on the SO mailing list. I had a shell script to automate some of this but the pulling of the information from the multiple snort files wasn't as nice as yours. thanks

https://github.com/theflakes/security-onion-misc-scripts/blob/master/getPcap.sh

Greg said...

Thanks for sharing! I've been trying to figure out how to do this!

why college should not be free said...

I don't know how to extract traffic from rolling captures. I have read many blogs about this but I didn't understood well. After reading this post, I easily understood it very well.

Gokul Ravi said...

very nice interview questions
vlsi interview questions
extjs interview questions
laravel interview questions
sap bi/bw interview questions
pcb interview questions
unix shell scripting interview questions

Gokul Ravi said...

really awesome blog
hr interview questions
hibernate interview questions
selenium interview questions
c interview questions
c++ interview questions
linux interview questions

Gokul Ravi said...

thanks for sharing this blog
spring mvc interview questions
machine learning online training
servlet interview questions mytectra.in
wcf interview questions

Gokul Ravi said...

nice blog
android training in bangalore
ios training in bangalore

Abhiram Sharma said...

Hi There,


Great post. Well though out. This piece reminds me when I was starting out Loopback Mountain Key after graduating from college.

I am working LDPC encoding and decoding for mini project work. With my effort I have completed LDPC encoding but struggling with LDPC decoding. I need to complete this project complete this project within short period so please help me.

I don`t know how to start decoding algorithm in C language but i do have algorithm. So, can anyone help me in writing C language for decoding procedure.

Thank you very much and will look for more postings from you.


Thank you,
John