Monday, January 6, 2014

New CapMe package allows you to download PCAP files

I've updated our CapMe package with some new features.

Retrieving PCAPs using CapMe
CapMe now allows you to retrieve the actual pcap file.  There are two ways to do this:

1.  On the CapMe main page, change the Output option to "pcap" and click the "submit" button.  The pcap will automatically download.

2.  If you choose a tcpflow or bro transcript, hyperlinks to the full pcap will be placed at the top and bottom of the transcript page.

Timezone Support
If you had previously configured Snorby to render timestamps in your local timezone, you would have noticed that pivoting to CapMe would not work since CapMe expects the timestamps to be in UTC.

CapMe now supports setting your local timezone so that it can convert timestamps back to UTC and find sessions properly.  Set your local timezone in /var/www/capme/.inc/timezone.php.

The new package is securityonion-capme - 20121213-0ubuntu0securityonion17 and it resolves the following issues:

Issue 413: Extend CapMe to pull pcap file

Issue 449: CapMe: add timeout:0 to ELSA query

Issue 450: CapMe: add support for Snorby timezones

It has been tested by the following (thanks!):
David Zawdie

The new package is now available in our stable repo.  Please see the following page for full update instructions:

Release Notes

  • When you submit a CapMe request, it creates a symlink to the actual pcap in /var/www/capme/pcap/.  
  • /etc/cron.d/capme is a cron job that runs every minute and deletes any symlinks in /var/www/capme/pcap/ older than five minutes. 
  • Please be reminded that the management interface of your master server (where CapMe runs) should be connected to a dedicated management network or locked down via firewall rules to only accept connections from analyst IP addresses:

If you have any questions or problems, please use our mailing list:

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

No comments:

Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive