Retrieving PCAPs using CapMe
CapMe now allows you to retrieve the actual pcap file. There are two ways to do this:
1. On the CapMe main page, change the Output option to "pcap" and click the "submit" button. The pcap will automatically download.
2. If you choose a tcpflow or bro transcript, hyperlinks to the full pcap will be placed at the top and bottom of the transcript page.
If you had previously configured Snorby to render timestamps in your local timezone, you would have noticed that pivoting to CapMe would not work since CapMe expects the timestamps to be in UTC.
The new package is securityonion-capme - 20121213-0ubuntu0securityonion17 and it resolves the following issues:
Issue 413: Extend CapMe to pull pcap file
Issue 449: CapMe: add timeout:0 to ELSA query
Issue 450: CapMe: add support for Snorby timezones
It has been tested by the following (thanks!):
The new package is now available in our stable repo. Please see the following page for full update instructions:
- When you submit a CapMe request, it creates a symlink to the actual pcap in /var/www/capme/pcap/.
- /etc/cron.d/capme is a cron job that runs every minute and deletes any symlinks in /var/www/capme/pcap/ older than five minutes.
- Please be reminded that the management interface of your master server (where CapMe runs) should be connected to a dedicated management network or locked down via firewall rules to only accept connections from analyst IP addresses:
If you have any questions or problems, please use our mailing list:
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!