@alejo wrote:
Summary
This post relates to our Mar 2016 webinar (*#ref needed) that demonstrates how to use VIRL's Packet Capture feature from User Workspace Management (UWM) and VM Maestro (VMM). The feature includes two methods; one, capture to file and two, live capture. Both methods are supported on all platforms and scripts included in this post will relief some of the command line burden.
Pre-requisites
• Wireshark 2.0+
• Nmap (Windows Only!)Notes
As a general statement, it is strongly recommend that you use the latest version of Wireshark. While Windows users do not have to install Nmap, you do need to install a NetCat application. NetCat (nc) is needed to connect to the listening socket on the VIRL server when performing live captures. There is a standalonenetcat.exewhich you may download from HERE . This tutorial and Webinar assumes that you have installed the Nmap application and all examples and demonstrated scripts will reflect this assumption.Links
Packet Capture with Wireshark on Mac
Enable Remote Live Packet Captures on Windows
TCPDUMP pcap filters
TCPDUM expressions -- short listWhat is covered
Offline Packet Capture
Live Packet CaptureOffline Packet Capture: This option lets the VIRL server handle the collection of data packets and send them to a file stored on the VIRL server. The capture can be applied with standard PCAP filters or left blank so the user can filter the capture directly from Wireshark. To save the capture, the user must download the capture file and save it locally.
Live Packet Capture: This option opens a listening port on the VIRL server, to allow an external packet sniffer application (ex. Wireshark) to connect and display the packet flow as it happens. This capture can be started with or without a PCAP filter. There is no
pcapfile generated on the VIRL server as all of the output is sent directly to the live port. To view and manipulate the capture, Wireshark must be connected to the VIRL server via the assigned live port.Basic pcap filters
Note on pcap syntax:
The filter is looking for attributes specified, meaning that a captured packet must contain all or some of the attributes. For example; setting a filter to capture pings and ARP messages like this:icmp and arpwould produce an error and the filter would not be applied. This is because a single packet cannot be a unicast message and a broadcast message at the same time. So the correct syntax would be like this:icmp or arp; which would capture all ping and ARP messages.Capture packets with source or destination port 53 and 80
udp port 53 or tcp port 80Capture packets with destination port 80 (http)
tcp dst port 80Capture
icmpandarppacketsicmp or arpCapture all packets destined for a network of
xnet 10
All packets with source or destination network that starts with 10.
net 172.16.1
All packets with source of destination network that starts with 172.16.1
src net [network]
Same as above, but matches source network only
dst net [network]
Same as above but matches destination network only
Scripts for live packet capture
live_pcap_gui.cmd.txt (987 Bytes)
live_pcap.cmd.txt (810 Bytes)For Winodws
live_pcap_gui.cmd
Usage:
Download script and remove the.txtextension from the name. From any location on your local machine, double click thelive_pcap_gui.cmdfile and answer the prompts. The pre-requisites outlined on this post must be met before you can successfully use this script.live_pcap.cmd
Usage:
Download script and remove the.txtextension from the name. Open the script with your favorite text editor and edit the following line by replacing the included IP address with your VIRL server's IP address (leave the quotes in place).set VIRL_HOST="your.host.ip.address"
Save the file.
To connect to a live port capture, start the script like this:From Run or CMD window:
C:\path\to\script\live_pcap.cmd [live_port]The pre-requisites outlined on this post must be met before you can successfully use this script.
For Mac:
mac_live_pcap.sh.txt (1.1 KB)
mac_live_pcap.sh
Usage:
Download script and remove the.txtextension from the name. Save the script to your local computer and note the location. Open a terminal window and change directory to the saved location of the script. Next, make the script executable by running this command:chmod a+x mac_live_pcap.sh
To connect to a live port capture, start the script like this (cmd prompt must be in saved directory):./mac_live_pcap.sh [live_port]
when prompted, enter the IP address of your VIRL server.ex.
MyMac:March alejo$ ./mac_live_pcap.sh 10003
IP address of VIRL Server: 172.16.50.245To hard code the IP address of your VIRL server, open the script with a text editor and edit the appropriate lines as shown in the script.
Posts: 1
Participants: 1