pcapr-local 0.1.13 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- data/README.html +733 -451
- data/README.md +107 -24
- data/Rakefile +5 -7
- data/VERSION +1 -1
- data/lib/mu/scenario/pcap.rb +8 -0
- data/lib/pcapr_local.rb +11 -1
- data/lib/pcapr_local/config.rb +13 -8
- data/pcapr-local.gemspec +3 -27
- metadata +7 -28
data/README.md
CHANGED
@@ -2,63 +2,146 @@
|
|
2
2
|
|
3
3
|
## Introduction
|
4
4
|
|
5
|
-
pcapr.Local is a tool for browsing and managing a large repository of packet
|
6
|
-
|
7
|
-
|
5
|
+
pcapr.Local is a tool for browsing and managing a large repository of packet
|
6
|
+
capture files (pcaps). After you install and configure pcapr.Local with the
|
7
|
+
location of your pcaps, it automatically indexes those pcaps and enables you
|
8
|
+
to navigate your collection using a web browser. pcapr.Local extends and
|
9
|
+
integrates with [Xtractr](http://code.google.com/p/pcapr/wiki/Xtractr), so it
|
10
|
+
uses the Xtractr web UI hosted on pcapr.net. However, because the UI is
|
11
|
+
configured to talk to the local Xtractr instance managed by pcapr.Local, your
|
12
|
+
data never leaves your network.
|
13
|
+
|
14
|
+
In addition to managing pcaps, pcapr.Local helps you leverage your custom
|
15
|
+
Wireshark dissectors and command-line options to create Scenarios in Mu
|
16
|
+
Studio. Just download the PAR file (Pcap ARchive) file created by pcapr.Local
|
17
|
+
and import it into Mu Studio, where your Wireshark data guides Scenario
|
18
|
+
creation.
|
19
|
+
|
20
|
+
You can learn more about pcapr.Local in our announcement
|
21
|
+
[blog](http://labs.mudynamics.com/2011/04/18/announcing-pcaprlocal/).
|
22
|
+
|
23
|
+
![pcapr.Local](http://blog.mudynamics.com/wp-content/uploads/2011/04/pcaprlocal.png)
|
8
24
|
|
9
25
|
## Dependencies
|
10
26
|
|
11
27
|
### Supported Environments
|
12
28
|
|
13
|
-
Linux (any flavor). You can install on a dedicated Linux system or in a
|
29
|
+
Linux (any flavor). You can install on a dedicated Linux system or in a
|
30
|
+
virtual machine (VM).
|
14
31
|
|
15
32
|
### Ruby & Rubygems
|
16
33
|
|
17
|
-
Ruby (1.8.6, 1.8.7, 1.9.2) + Rubygems (1.3.7 or higher). When using Ruby
|
34
|
+
Ruby (1.8.6, 1.8.7, 1.9.2) + Rubygems (1.3.7 or higher). When using Ruby
|
35
|
+
1.8.6, you must install rubygems 1.3.7. Rubygems officially ceased support for
|
36
|
+
ruby 1.8.6 as of the rubygems 1.4.0 release, so any version 1.4.x or higher
|
37
|
+
will not install on a ruby 1.8.6 system.
|
18
38
|
|
19
39
|
### CouchDB
|
20
|
-
Local and remote installations supported. If you have configured a username and password for the CouchDB service, you'll need to provide those user credentials during the pcapr.Local gem installation. On Ubuntu/Debian you can install CouchDB with:
|
21
40
|
|
22
|
-
|
41
|
+
Local and remote installations supported. If you have configured a username
|
42
|
+
and password for the CouchDB service, you'll need to provide those user
|
43
|
+
credentials during the pcapr.Local gem installation. On Ubuntu/Debian you can
|
44
|
+
install CouchDB with:
|
45
|
+
|
46
|
+
$ sudo apt-get install couchdb
|
23
47
|
|
24
48
|
### Wireshark (any version)
|
25
49
|
|
26
|
-
|
50
|
+
pcapr.Local will automatically use the installed version of `tshark` (a
|
51
|
+
component of Wireshark) to create the pcap indexes. When using a package
|
52
|
+
manager (such as aptitude on Ubuntu), you might need to install `tshark`
|
53
|
+
command line utility separately if it's not included as part of the Wireshark
|
54
|
+
installation.
|
27
55
|
|
28
56
|
### Zip (any version)
|
29
|
-
|
57
|
+
|
58
|
+
pcapr.Local requires zip to create PAR files from your indexed pcaps.
|
30
59
|
|
31
60
|
## Running pcapr.Local
|
32
61
|
|
33
|
-
1.
|
34
|
-
2.
|
62
|
+
1. Install the gem.
|
63
|
+
2. Run the `startpcapr` executable that is installed with the gem:
|
64
|
+
|
65
|
+
$ startpcapr
|
66
|
+
|
67
|
+
3. This configuration script asks you some basic questions and records your
|
68
|
+
answers in a config file at `~/.pcapr_local/config` that will be used on
|
69
|
+
subsequent invocations. After collecting configuration information, the
|
70
|
+
server process returns a prompt but continues running in the background.
|
71
|
+
To monitor the process, tail the pcapr.Local log file with:
|
35
72
|
|
36
|
-
|
73
|
+
$ tail -F ~/pcapr.Local/log/server.log
|
37
74
|
|
38
|
-
|
75
|
+
4. Add your packet capture files to the `pcaps` directory you configured
|
76
|
+
(default `~/pcapr.Local/pcaps`) and wait a few minutes for pcapr.Local to
|
77
|
+
index them.
|
39
78
|
|
40
|
-
|
79
|
+
5. Point your web browser to http://localhost:8080 (or whatever you
|
80
|
+
configured).
|
41
81
|
|
42
|
-
|
43
|
-
4. Point your web browser to http://localhost:8080 (or whatever you configured).
|
44
|
-
5. Stop the pcapr.Local server with:
|
82
|
+
6. Stop the pcapr.Local server with:
|
45
83
|
|
46
|
-
|
84
|
+
$ stoppcapr
|
47
85
|
|
48
86
|
## Creating PAR Files
|
49
87
|
|
50
|
-
A PAR file (Pcap ARchive) is a format that can be imported into Mu Studio to
|
88
|
+
A PAR file (Pcap ARchive) is a format that can be imported into Mu Studio to
|
89
|
+
create a Scenario. Although a PAR file is equivalent to a pcap file for the
|
90
|
+
purposes of Scenario creation, because a PAR contains dissection data from
|
91
|
+
your local Wireshark installation, you'll get the full benefits of any custom
|
92
|
+
dissectors used by that installation. Additionally, when you import a PAR file
|
93
|
+
you'll bypass flow selection and go directly to the Scenario Editor.
|
51
94
|
|
52
95
|
### In the Web UI
|
53
96
|
|
54
|
-
Point your web browser to http://localhost:8080 (or whatever you configured),
|
97
|
+
Point your web browser to http://localhost:8080 (or whatever you configured),
|
98
|
+
then select a pcap to view its details. At the bottom of the details page,
|
99
|
+
click the Download PAR File link.
|
55
100
|
|
56
101
|
### On the Command Line
|
57
102
|
|
58
|
-
The gem bundles a CLI tool for creating PAR files called
|
103
|
+
The gem bundles a CLI tool for creating PAR files called `pcap2par`. To use,
|
104
|
+
just provide a path to your pcap:
|
59
105
|
|
60
|
-
$
|
106
|
+
$ pcap2par my_traffic.pcap
|
107
|
+
|
108
|
+
This creates a PAR file called `export.par` in the current directory. You can
|
109
|
+
optionally specify the name of the output file as a second argument:
|
110
|
+
|
111
|
+
$ pcap2par my_traffic.pcap ~/par_files/my_traffic.par
|
112
|
+
|
113
|
+
## Custom Wireshark Command-Line Options
|
114
|
+
|
115
|
+
pcapr.Local supports supplying custom options to `tshark` if the options are
|
116
|
+
added to `~/.pcapr_local/config`. If you need any of these options to make
|
117
|
+
things decode successfully in your environment, you can add them to the
|
118
|
+
tshark.options stanza in the pcapr.Local configuration file.
|
119
|
+
|
120
|
+
"tshark": {
|
121
|
+
"options": "-d tcp.port==2121,ftp"
|
122
|
+
}
|
123
|
+
|
124
|
+
See the [tshark man page](http://www.wireshark.org/docs/man-pages/tshark.html)
|
125
|
+
for more information.
|
126
|
+
|
127
|
+
### User Specified Decodes (Decode As)
|
128
|
+
|
129
|
+
If you use nonstandard TCP / UDP ports or Ethernet / IP protocol numbers in
|
130
|
+
your environment, `tshark` can decode the protocols correctly when you
|
131
|
+
manually map them to the proper dissectors.
|
132
|
+
|
133
|
+
The following command-line option example adds `2121/tcp` as an additional port
|
134
|
+
for FTP traffic:
|
135
|
+
|
136
|
+
-d tcp.port==2121,ftp
|
137
|
+
|
138
|
+
### Custom Lua Dissectors
|
139
|
+
|
140
|
+
If you use custom protocols which are not present in the standard version of
|
141
|
+
`tshark`, you can decode these by creating a Lua script dissector.
|
61
142
|
|
62
|
-
|
143
|
+
The following command-line option example loads a Lua script from
|
144
|
+
`custom_dissector.lua`, and adds it to Wireshark's existing dissector library
|
145
|
+
to support additional protocols:
|
63
146
|
|
64
|
-
|
147
|
+
-X lua_script:custom_dissector.lua
|
data/Rakefile
CHANGED
@@ -3,14 +3,16 @@ require 'rake'
|
|
3
3
|
|
4
4
|
require 'jeweler'
|
5
5
|
Jeweler::Tasks.new do |gem|
|
6
|
-
# gem is a Gem::Specification
|
6
|
+
# gem is a Gem::Specification
|
7
|
+
# http://docs.rubygems.org/read/chapter/20
|
7
8
|
gem.name = "pcapr-local"
|
8
9
|
gem.homepage = "http://github.com/pcapr-local/pcapr-local"
|
9
10
|
gem.license = "MIT"
|
10
11
|
gem.summary = %Q{Manage your pcap collection}
|
11
12
|
gem.description = %Q{Index, Browse, and Query your vast pcap collection.}
|
12
|
-
gem.email = "
|
13
|
+
gem.email = "rubygems@mudynamics.com"
|
13
14
|
gem.authors = ["Mu Dynamics"]
|
15
|
+
|
14
16
|
gem.add_dependency "rest-client", ">= 1.6.1"
|
15
17
|
gem.add_dependency "couchrest", "~> 1.0.1"
|
16
18
|
gem.add_dependency "sinatra", "~> 1.1.0"
|
@@ -18,15 +20,11 @@ Jeweler::Tasks.new do |gem|
|
|
18
20
|
gem.add_dependency "thin", "~> 1.2.7"
|
19
21
|
gem.add_dependency "rack", "~> 1.2.1"
|
20
22
|
gem.add_dependency "rack-contrib", "~> 1.1.0"
|
21
|
-
|
22
|
-
# and development dependencies are only needed for development (ie running rake tasks, tests, etc)
|
23
|
-
# gem.add_runtime_dependency 'jabber4r', '> 0.1'
|
24
|
-
# gem.add_development_dependency 'rspec', '> 1.2.3'
|
23
|
+
|
25
24
|
gem.add_development_dependency "shoulda", ">= 0"
|
26
25
|
gem.add_development_dependency "bundler", "~> 1.0.0"
|
27
26
|
gem.add_development_dependency "jeweler", "~> 1.5.2"
|
28
27
|
gem.add_development_dependency "rcov", ">= 0"
|
29
|
-
|
30
28
|
end
|
31
29
|
Jeweler::RubygemsDotOrgTasks.new
|
32
30
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.
|
1
|
+
0.2.0
|
data/lib/mu/scenario/pcap.rb
CHANGED
@@ -15,6 +15,7 @@ module Pcap
|
|
15
15
|
TSHARK_READ_TIMEOUT = 10.0 # seconds
|
16
16
|
TSHARK_LINES_PER_PACKET = 16384
|
17
17
|
TSHARK_OPTS = "-n -o tcp.desegment_tcp_streams:false"
|
18
|
+
TSHARK_OPTS_SUFFIX = TSHARK_OPTS
|
18
19
|
TSHARK_SIZE_OPTS = "-n -o 'column.format: cum_size, \"%B\"'"
|
19
20
|
TSHARK_PSML_OPTS = %Q{#{TSHARK_OPTS} -o 'column.format: "Protocol", "%p", "Info", "%i"'}
|
20
21
|
|
@@ -24,6 +25,13 @@ module Pcap
|
|
24
25
|
EXCLUDE_FROM_SIZE_CHECK = ['rtp'].freeze
|
25
26
|
|
26
27
|
class PcapTooLarge < StandardError; end
|
28
|
+
|
29
|
+
def self.reset_options options
|
30
|
+
return unless options
|
31
|
+
tshark_opts = options << ' ' << TSHARK_OPTS_SUFFIX
|
32
|
+
remove_const(:TSHARK_OPTS) if const_defined?(:TSHARK_OPTS)
|
33
|
+
const_set(:TSHARK_OPTS, tshark_opts)
|
34
|
+
end
|
27
35
|
|
28
36
|
def self.validate_pcap_size(path)
|
29
37
|
tshark_filter = EXCLUDE_FROM_SIZE_CHECK.map{ |proto| "not #{proto}" }.join " and "
|
data/lib/pcapr_local.rb
CHANGED
@@ -69,7 +69,14 @@ module PcaprLocal
|
|
69
69
|
def self.get_db config
|
70
70
|
PcaprLocal::DB.get_db config.fetch("couch")
|
71
71
|
end
|
72
|
-
|
72
|
+
|
73
|
+
def self.set_tshark_options config
|
74
|
+
options = config['tshark']['options']
|
75
|
+
return unless options
|
76
|
+
|
77
|
+
Mu::Scenario::Pcap.reset_options(options)
|
78
|
+
end
|
79
|
+
|
73
80
|
def self.start config=nil
|
74
81
|
config ||= PcaprLocal::Config.config
|
75
82
|
|
@@ -93,6 +100,9 @@ module PcaprLocal
|
|
93
100
|
|
94
101
|
# Create pid file that will be deleted when we shutdown.
|
95
102
|
create_pid_file config['pidfile']
|
103
|
+
|
104
|
+
# Override the default tshark options
|
105
|
+
set_tshark_options(config)
|
96
106
|
|
97
107
|
# Get database instance
|
98
108
|
db = get_db config
|
data/lib/pcapr_local/config.rb
CHANGED
@@ -9,14 +9,14 @@ module Config
|
|
9
9
|
|
10
10
|
DEFAULT_CONFIG = {
|
11
11
|
# Shared config.
|
12
|
-
"install_dir"
|
13
|
-
"pcap_dir"
|
14
|
-
"index_dir"
|
12
|
+
"install_dir" => "#{HOME}/pcapr.Local/",
|
13
|
+
"pcap_dir" => "#{HOME}/pcapr.Local/pcaps",
|
14
|
+
"index_dir" => "#{HOME}/pcapr.Local/indexes",
|
15
15
|
|
16
16
|
# UI (Sinatra)
|
17
17
|
"app" => {
|
18
|
-
"host"
|
19
|
-
"port"
|
18
|
+
"host" => '127.0.0.1',
|
19
|
+
"port" => 8080,
|
20
20
|
},
|
21
21
|
|
22
22
|
# Pcap scanning
|
@@ -27,15 +27,20 @@ module Config
|
|
27
27
|
|
28
28
|
# Couch
|
29
29
|
"couch" => {
|
30
|
-
"uri"
|
31
|
-
"database"
|
30
|
+
"uri" => 'http://127.0.0.1:5984/',
|
31
|
+
"database" => 'pcapr_local'
|
32
32
|
},
|
33
33
|
|
34
34
|
# Xtractr
|
35
35
|
"xtractr" => {
|
36
36
|
"path" => 'xtractr',
|
37
37
|
"idle_timeout" => 60 # kill xtractr browser after n seconds of idle time
|
38
|
-
}
|
38
|
+
},
|
39
|
+
|
40
|
+
# tshark
|
41
|
+
"tshark" => {
|
42
|
+
"options" => ''
|
43
|
+
},
|
39
44
|
}
|
40
45
|
|
41
46
|
|
data/pcapr-local.gemspec
CHANGED
@@ -5,13 +5,13 @@
|
|
5
5
|
|
6
6
|
Gem::Specification.new do |s|
|
7
7
|
s.name = %q{pcapr-local}
|
8
|
-
s.version = "0.
|
8
|
+
s.version = "0.2.0"
|
9
9
|
|
10
10
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
11
11
|
s.authors = ["Mu Dynamics"]
|
12
|
-
s.date = %q{2011-
|
12
|
+
s.date = %q{2011-12-08}
|
13
13
|
s.description = %q{Index, Browse, and Query your vast pcap collection.}
|
14
|
-
s.email = %q{
|
14
|
+
s.email = %q{rubygems@mudynamics.com}
|
15
15
|
s.executables = ["pcap2par", "startpcapr", "stoppcapr", "xtractr"]
|
16
16
|
s.extra_rdoc_files = [
|
17
17
|
"LICENSE.txt",
|
@@ -228,30 +228,6 @@ Gem::Specification.new do |s|
|
|
228
228
|
s.require_paths = ["lib"]
|
229
229
|
s.rubygems_version = %q{1.3.7}
|
230
230
|
s.summary = %q{Manage your pcap collection}
|
231
|
-
s.test_files = [
|
232
|
-
"test/mu/pcap/reader/tc_http_family.rb",
|
233
|
-
"test/mu/pcap/tc_ethernet.rb",
|
234
|
-
"test/mu/pcap/tc_header.rb",
|
235
|
-
"test/mu/pcap/tc_ipv4.rb",
|
236
|
-
"test/mu/pcap/tc_ipv6.rb",
|
237
|
-
"test/mu/pcap/tc_packet.rb",
|
238
|
-
"test/mu/pcap/tc_pair.rb",
|
239
|
-
"test/mu/pcap/tc_pkthdr.rb",
|
240
|
-
"test/mu/pcap/tc_reader.rb",
|
241
|
-
"test/mu/pcap/tc_tcp.rb",
|
242
|
-
"test/mu/pcap/tc_udp.rb",
|
243
|
-
"test/mu/pcap/tc_wrapper.rb",
|
244
|
-
"test/mu/scenario/pcap/tc_fields.rb",
|
245
|
-
"test/mu/scenario/pcap/tc_rtp.rb",
|
246
|
-
"test/mu/scenario/tc_pcap.rb",
|
247
|
-
"test/mu/tc_pcap.rb",
|
248
|
-
"test/mu/testcase.rb",
|
249
|
-
"test/pcapr_local/tc_api.rb",
|
250
|
-
"test/pcapr_local/test_scanner.rb",
|
251
|
-
"test/pcapr_local/test_xtractr.rb",
|
252
|
-
"test/pcapr_local/testcase.rb",
|
253
|
-
"test/test_pcapr_local.rb"
|
254
|
-
]
|
255
231
|
|
256
232
|
if s.respond_to? :specification_version then
|
257
233
|
current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
|
metadata
CHANGED
@@ -4,9 +4,9 @@ version: !ruby/object:Gem::Version
|
|
4
4
|
prerelease: false
|
5
5
|
segments:
|
6
6
|
- 0
|
7
|
-
-
|
8
|
-
-
|
9
|
-
version: 0.
|
7
|
+
- 2
|
8
|
+
- 0
|
9
|
+
version: 0.2.0
|
10
10
|
platform: ruby
|
11
11
|
authors:
|
12
12
|
- Mu Dynamics
|
@@ -14,7 +14,7 @@ autorequire:
|
|
14
14
|
bindir: bin
|
15
15
|
cert_chain: []
|
16
16
|
|
17
|
-
date: 2011-
|
17
|
+
date: 2011-12-08 00:00:00 -08:00
|
18
18
|
default_executable:
|
19
19
|
dependencies:
|
20
20
|
- !ruby/object:Gem::Dependency
|
@@ -179,7 +179,7 @@ dependencies:
|
|
179
179
|
type: :development
|
180
180
|
version_requirements: *id011
|
181
181
|
description: Index, Browse, and Query your vast pcap collection.
|
182
|
-
email:
|
182
|
+
email: rubygems@mudynamics.com
|
183
183
|
executables:
|
184
184
|
- pcap2par
|
185
185
|
- startpcapr
|
@@ -427,26 +427,5 @@ rubygems_version: 1.3.7
|
|
427
427
|
signing_key:
|
428
428
|
specification_version: 3
|
429
429
|
summary: Manage your pcap collection
|
430
|
-
test_files:
|
431
|
-
|
432
|
-
- test/mu/pcap/tc_ethernet.rb
|
433
|
-
- test/mu/pcap/tc_header.rb
|
434
|
-
- test/mu/pcap/tc_ipv4.rb
|
435
|
-
- test/mu/pcap/tc_ipv6.rb
|
436
|
-
- test/mu/pcap/tc_packet.rb
|
437
|
-
- test/mu/pcap/tc_pair.rb
|
438
|
-
- test/mu/pcap/tc_pkthdr.rb
|
439
|
-
- test/mu/pcap/tc_reader.rb
|
440
|
-
- test/mu/pcap/tc_tcp.rb
|
441
|
-
- test/mu/pcap/tc_udp.rb
|
442
|
-
- test/mu/pcap/tc_wrapper.rb
|
443
|
-
- test/mu/scenario/pcap/tc_fields.rb
|
444
|
-
- test/mu/scenario/pcap/tc_rtp.rb
|
445
|
-
- test/mu/scenario/tc_pcap.rb
|
446
|
-
- test/mu/tc_pcap.rb
|
447
|
-
- test/mu/testcase.rb
|
448
|
-
- test/pcapr_local/tc_api.rb
|
449
|
-
- test/pcapr_local/test_scanner.rb
|
450
|
-
- test/pcapr_local/test_xtractr.rb
|
451
|
-
- test/pcapr_local/testcase.rb
|
452
|
-
- test/test_pcapr_local.rb
|
430
|
+
test_files: []
|
431
|
+
|