Skip to content

Pulling PCAP

Mike Reeves edited this page Jul 25, 2019 · 8 revisions

PCAP via Sensoroni

PCAP is now available via pivot from Kibana to Sensoroni. Pivoting to PCAP from Kibana in Hybrid Hunter is the exact same process as the current version. Simply click the _id hyperlink on the session you would like to pull:

Pivot

This will launch a new browser tab that will send you to Sensoroni. You should end up on a screen that looks like this:

Job

Refresh this page after a few seconds and you should see:

Jobdefault

You can now switch between HEX and ASCII and expand the results.

Searching and Saving PCAP manually

To search PCAP directly you must ssh to the sensor and use the following examples:

sudo docker exec -it so-steno stenoread 'before 2018-11-24T01:58:00Z and after 2018-11-23T23:50:00Z' 'port 80 and host 192.168.140.20' -n -XXX

To save in 1.0.4: sudo docker exec -it so-steno stenoread 'before 2018-11-24T01:58:00Z and after 2018-11-23T23:50:00Z' 'port 80 and host 192.168.2.20' -w /nsm/pcapout/somepcap.pcap

Notice that it is now not required to save the PCAP to a separate file in order to review it. This is handy when you are spot checking something that you think could be a false positive and not waste disk space on a duplicate copy of the session. Also note that this will return much faster if you narrow down to a specific timespan.

You can’t perform that action at this time.