scripts from dns-orac ditl-tools
capture DNS packet on DNS servers and save as pcap file, then send to Yeti storage server
please refer to https://github.com/BII-Lab/Yeti-Project/blob/master/doc/Capture.md
- setup.sh
install dnscap and wrapsrv
- capture-dnscap.sh
-
capture-pcapdump.sh
capture DNS packet with dnscap https://github.com/verisign/dnscap -
capture-pcapdump.sh
capture DNS packet with pcapdump https://packages.debian.org/sid/pcaputils
You need the patch in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545985
- data-commit.sh
submit DNS packet via ssh
notice: use ssh PubkeyAuthentication, so user should provide ssh public key
- settings.sh
configure options for dnscap/pcapdump
congigure IFACES, capture packets on which NICs
configure SSH_ID as user's SSH private key
configure SAVEDIR to store pacp file
configure KICK_CMD, choose dnscap or pcapdump
- how to run
1) setup
you should run command 'bash setup.sh', this will install dnscap and wrapsrv
if you want to install dnscap or wrapsrv, try 'bash setup.sh dnscap' or 'bash setup.sh wrapsrv'
2) run dnscap
sh capture-dnscap.sh
3) add task in crontab, monitor dnscap process
"* * * * * root pgrep dnscap || (cd /path/of/script-dir && sh capture-dnscap.sh)"
- note
on ubuntu 14.04.2(kernel 4.0.7), dnscap works well.
on Centos 6(kernel 2.6.32.*), dnscap works well.
on FreeBSD 10.0, dnscap works well.
linux kernel below 3.19, dnscap sometimes lost packets.
so if choose Linux and use dnscap to capture packet, please upgrage your kernel.
the latest dnscap run as user nobody, you should make sure dnscap can wirte pcaps to the data dir or specify a
different user in capture-dnscap.sh