My next class:

Packet Capture Options

Published: 2016-11-10. Last Updated: 2016-11-10 12:48:40 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

As a quick follow-up to Didier's post, I wanted to quickly summarize some of the other tools (aside from tcpdump) that can be used to collect full packet captures. I limited myself to open source tools that are meant to run unattended (no GUI) on a remote system and use libpcap. By using libpcap, all these tools are able to use BPF to limit the collected data and they all produce pcap output.

To make it a bit easier to compare, I added an example command line for each tool that will listen on the eth0 interface and rotate logs once an hour. I am also excluding ssh traffic to show how BPF syntax can be used to limit capture.

daemonlogger: This comes out of the snort project. One nice option is the -M option that will allow you to log packets and automatically delete old logs if the disk fills up. For example, -M 90 makes sure the disk usage never exceeds 90%. My favorite utility just for that option alone. A typical command line:

daemonlogger -d -n packetfiles  -g pcapgrp -u pcapuser -t 3600 -i eth0 not port 22

snort: Snort itself can be used to log packets to a directory. Snort automatically appends a time stamp to the log file, avoiding overwriting existing files. But snort doesn't have a "rotate" option, so you need to send a signal to snort ot reload.

snort -l /var/log -i eth0 -b -D not port 22

dumpcap: dumpcap comes as part of Wireshark. It can capture packets in monitor mode on wireless interfaces. It has a ringbuffer mode that keeps the last x files. So you have to make sure they don't exceed the available space (not as nice as -M in daemonlogger). It can log in pcapng format and if you do so, you can add a comment to the file. A timestamp is inserted into the filename.

dumpcap -i eth0 -a files:24 -a duration:3600 -P -w packets.pcap

pcapdump: Very simple/basic utility but has the unique feature to be able to sample packets (even randomly). It can also limit packet captures to link/network and transport layer header and strip off all application data (-H option)

pcapdump -i eth0 -w pcapfile.pcap -u pcapuser -g pcapgrp -r 3600 

netsniff-ng: one of the less well known tools, and one I haven't played with yet. It claims to be optimized for performance by taking advantage of newer linux kernels. It does not use libpacp, so not strictly speaking "in scope" for this list. It also comes with a packet generator. 

tshark: I just include it here for "completeness". I don't consider it a capture utility. Wireshark provides dumpcap for that.

Any other options I forgot about? (open source, non-GUI, libpcap compatible...)

Links to tools:

Daemonlogger: https://snort.org/downloads#additional_downloads
Snort: https://snort.org
Dumpcap: http://www.wireshark.org
pcapdump: https://launchpad.net/ubuntu/precise/+package/pcaputils​
netsniff-ng: http://netsniff-ng.org

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
7 comment(s)
My next class:

Comments

I tweeted this to you, but I use ngrep alot, i mean really alot, because alot of my packet capture/analysis comes from running daemons that look for specific packets that contain specific terms to then operate some bash script on, and ngrep is priceless. Im sure the same grep ability is available in a lot of other packages, and it mimics tcpdump in quite a lot of its commands, but i just like ngrep
I read this SANS diary (link below) a while back and was surprised I had never heard of using native "netsh" to capture packets on a windows system. Its not a 3rd party program but i felt it should be noted as it really comes in handy when you have restrictions on what software can be installed and executed on a system. It doesn't give you a pcap but rather a .etl file. However, with powershell or Microsoft's Message Analyzer app this can quickly be converted to a .cap file and analyzed with your pcap program of choice (ex wireshark). Just thought it would be nice to re-share on this posting!

(note: if trying this, I was NOT able to convert the .etl file to .cap when capturing off a Wireless card... only a physical NIC (or VM NIC). I forget why this is but wanted to save you some time if you try yourself!)

https://isc.sans.edu/diary/19409
ngrep is more packet analysis then actual capture of traffic. So you would use it after one of the tools above.

netsh: yes! great option for Windows users. For the Wireless traffic, it may capture the 802.11 frames and your tools may not understand that. Send em a sample. maybe there is a trick to convert them.
I love ngrep and have used it for both capture and analysis, but alas it seems to no longer be maintained (unfortunately, it can't handle IPv6) which is part of why I wrote pngrep.pl. I mentioned it in https://isc.sans.edu/forums/diary/Are+your+tools+ready+for+IPv6+part+1/11317/ and which can currently be found in my githup repo https://github.com/clausing/scripts/blob/master/pngrep.pl
ipv6 is this ever going to be the standard, i know its off topic, but are we ever going to be where an endpoint is only ipv6?

i totally do not understand or appreciate it yet, but im guessing i will have no choice at some point in time
We're using a small tool called "gulp" for full packet capture.
Seems it's not very known, but it does a good job with a reasonable performance impact (compared to other tools we tried).
It also offers round robin file rotation with configurable file sizes and counts.
Links:
https://staff.washington.edu/corey/gulp/
You'll have to apply the patch from http://blog.crox.net/archives/72-gulp-tcpdump-alternative-for-lossless-capture-on-Linux.html.
I haven't used them, but I did stumble upon an interesting set of tools during some research I was doing: http://www.ntop.org/

Diary Archives