pcapr-local 0.1.12 → 0.1.13
Sign up to get free protection for your applications and to get access to all the features.
- data/README.md +64 -0
- data/VERSION +1 -1
- data/pcapr-local.gemspec +4 -2
- metadata +4 -2
data/README.md
ADDED
@@ -0,0 +1,64 @@
|
|
1
|
+
# pcapr.Local #
|
2
|
+
|
3
|
+
## Introduction
|
4
|
+
|
5
|
+
pcapr.Local is a tool for browsing and managing a large repository of packet capture files (pcaps). After you install and configure pcapr.Local with the location of your pcaps, it automatically indexes those pcaps and enables you to navigate your collection using a web browser. Pcapr.Local extends and integrates with [Xtractr](http://code.google.com/p/pcapr/wiki/Xtractr), so it uses the Xtractr web UI hosted on pcapr.net. However, because the UI is configured to talk to the local Xtractr instance managed by pcapr.Local, your data never leaves your network.
|
6
|
+
|
7
|
+
In addition to managing pcaps, pcapr.Local helps you leverage your custom Wireshark dissectors to create Scenarios in Mu Studio. Just download the PAR file (Pcap ARchive) file created by pcapr.Local and import it into Mu Studio, where your Wireshark data guides Scenario creation.
|
8
|
+
|
9
|
+
## Dependencies
|
10
|
+
|
11
|
+
### Supported Environments
|
12
|
+
|
13
|
+
Linux (any flavor). You can install on a dedicated Linux system or in a virtual machine (VM).
|
14
|
+
|
15
|
+
### Ruby & Rubygems
|
16
|
+
|
17
|
+
Ruby (1.8.6, 1.8.7, 1.9.2) + Rubygems (1.3.7 or higher). When using Ruby 1.8.6, you must install rubygems 1.3.7. Rubygems officially ceased support for ruby 1.8.6 as of the rubygems 1.4.0 release, so any version 1.4.x or higher will not install on a ruby 1.8.6 system.
|
18
|
+
|
19
|
+
### CouchDB
|
20
|
+
Local and remote installations supported. If you have configured a username and password for the CouchDB service, you'll need to provide those user credentials during the pcapr.Local gem installation. On Ubuntu/Debian you can install CouchDB with:
|
21
|
+
|
22
|
+
$ sudo apt-get install couchdb
|
23
|
+
|
24
|
+
### Wireshark (any version)
|
25
|
+
|
26
|
+
Pcapr.Local will automatically use the installed version of tshark (a component of Wireshark) to create the pcap indexes. When using a package manager (such as aptitude on Ubuntu), you might need to install tshark command line utility separately if it's not included as part of the Wireshark installation.
|
27
|
+
|
28
|
+
### Zip (any version)
|
29
|
+
Pcapr.Local requires zip to create PAR files from your indexed pcaps.
|
30
|
+
|
31
|
+
## Running pcapr.Local
|
32
|
+
|
33
|
+
1. Install the gem.
|
34
|
+
2. Run the "startpcapr" executable that is installed with the gem:
|
35
|
+
|
36
|
+
$ startpcapr
|
37
|
+
|
38
|
+
This configuration script asks you some basic questions and records your answers in a config file at ~/.pcapr_local/config that will be used on subsequent invocations. After collecting configuration information, the server process returns a prompt but continues running in the background. To monitor the process, tail the pcapr.Local log file with:
|
39
|
+
|
40
|
+
$ tail -F ~/pcapr.Local/log/server.log
|
41
|
+
|
42
|
+
3. Add your packet capture files to the pcap directory you configured (default ~/pcapr.Local/pcaps) and wait a few minutes for pcap.Local to index them.
|
43
|
+
4. Point your web browser to http://localhost:8080 (or whatever you configured).
|
44
|
+
5. Stop the pcapr.Local server with:
|
45
|
+
|
46
|
+
$ stoppcapr
|
47
|
+
|
48
|
+
## Creating PAR Files
|
49
|
+
|
50
|
+
A PAR file (Pcap ARchive) is a format that can be imported into Mu Studio to create a Scenario. Although a PAR file is equivalent to a pcap file for the purposes of Scenario creation, because a PAR contains dissection data from your local Wireshark installation, you'll get the full benefits of any custom dissectors used by that installation. Additionally, when you import a PAR file you'll bypass flow selection and go directly to the Scenario Editor.
|
51
|
+
|
52
|
+
### In the Web UI
|
53
|
+
|
54
|
+
Point your web browser to http://localhost:8080 (or whatever you configured), then select a pcap to view its details. At the bottom of the details page, click the Download PAR File link.
|
55
|
+
|
56
|
+
### On the Command Line
|
57
|
+
|
58
|
+
The gem bundles a CLI tool for creating PAR files called 'pcap2par'. To use, just provide a path to your pcap:
|
59
|
+
|
60
|
+
$ pcap2par my_traffic.pcap
|
61
|
+
|
62
|
+
This creates a PAR file called "export.par" in the current directory. You can optionally specify the name of the output file as a second argument:
|
63
|
+
|
64
|
+
$ pcap2par my_traffic.pcap ~/par_files/my_traffic.par
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.1.
|
1
|
+
0.1.13
|
data/pcapr-local.gemspec
CHANGED
@@ -5,7 +5,7 @@
|
|
5
5
|
|
6
6
|
Gem::Specification.new do |s|
|
7
7
|
s.name = %q{pcapr-local}
|
8
|
-
s.version = "0.1.
|
8
|
+
s.version = "0.1.13"
|
9
9
|
|
10
10
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
11
11
|
s.authors = ["Mu Dynamics"]
|
@@ -15,12 +15,14 @@ Gem::Specification.new do |s|
|
|
15
15
|
s.executables = ["pcap2par", "startpcapr", "stoppcapr", "xtractr"]
|
16
16
|
s.extra_rdoc_files = [
|
17
17
|
"LICENSE.txt",
|
18
|
-
"README.html"
|
18
|
+
"README.html",
|
19
|
+
"README.md"
|
19
20
|
]
|
20
21
|
s.files = [
|
21
22
|
".document",
|
22
23
|
"LICENSE.txt",
|
23
24
|
"README.html",
|
25
|
+
"README.md",
|
24
26
|
"Rakefile",
|
25
27
|
"VERSION",
|
26
28
|
"bin/pcap2par",
|
metadata
CHANGED
@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
|
|
5
5
|
segments:
|
6
6
|
- 0
|
7
7
|
- 1
|
8
|
-
-
|
9
|
-
version: 0.1.
|
8
|
+
- 13
|
9
|
+
version: 0.1.13
|
10
10
|
platform: ruby
|
11
11
|
authors:
|
12
12
|
- Mu Dynamics
|
@@ -190,10 +190,12 @@ extensions: []
|
|
190
190
|
extra_rdoc_files:
|
191
191
|
- LICENSE.txt
|
192
192
|
- README.html
|
193
|
+
- README.md
|
193
194
|
files:
|
194
195
|
- .document
|
195
196
|
- LICENSE.txt
|
196
197
|
- README.html
|
198
|
+
- README.md
|
197
199
|
- Rakefile
|
198
200
|
- VERSION
|
199
201
|
- bin/pcap2par
|