Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CAPE not sniffing the new interface set in Auxiliary conf #2085

Closed
ParkWork5 opened this issue Apr 25, 2024 · 6 comments
Closed

CAPE not sniffing the new interface set in Auxiliary conf #2085

ParkWork5 opened this issue Apr 25, 2024 · 6 comments

Comments

@ParkWork5
Copy link

This is open source and you are getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

  • [ X] I am running the latest version
  • [ X] I did read the README!
  • [ X] I checked the documentation and found no answer
  • [ X] I checked to make sure that this issue has not already been filed
  • [ X] I'm reporting the issue to the correct repository (for multi-repository projects)
  • [ X] I have read and checked all configs (with all optional parts)

Expected Behavior

I set a different interface in auxilary.conf for CAPE to run TCPDump on to sniff traffic. It should sniff the new interface since i did not see any references in the docs on anywhere else I needed to configure anything else.

Current Behavior

CAPE is not sniffing traffic off the new interface I set in auxiliary.conf.

Steps to Reproduce

  1. Install a new usb NIC.
  2. Change interface name in auxiliary.conf to new NIC.
  3. Confirm interface is up before run.
  4. Run analysis.
  5. Looking at the tcpdump command when doing systemctl status cape.service during a run CAPE will choose the old interface to sniff.

Context

I have a fully physical CAPE setup. I tried cating and grepping all the files in /opt/CAPEV2 to see where the tcpdump command is run so I could hard code in my new interface but, I didn't see any hits related to that. I can manually run TCPDump on the new interface and it works with no issues.

AuxiliaryConf

New NIC in auxiliary.conf set above.

CapeSniffing

Picture above is CAPE telling TCPDump to sniff the old interface even through it is no longer configured in auxiliary.conf.

Thanks for the help
@doomedraven
Copy link
Collaborator

Did you restart cape.service after modify the config?

@ParkWork5
Copy link
Author

I restarted the service and the machine with no luck.

@doomedraven
Copy link
Collaborator

did you set the interface in kvm.conf? https://github.com/kevoreilly/CAPEv2/blob/master/modules/auxiliary/sniffer.py#L58

@ParkWork5
Copy link
Author

I am a full physical setup so I didnt touch kvm.conf. Below is my cuckoo.conf and physical.conf.

cuckoo_conf

cuckoo.conf

physical_conf

physical.conf

@doomedraven
Copy link
Collaborator

well on physical, sniffing is useless as it cant sniff remote machine traffic

@ParkWork5
Copy link
Author

No worries. The network analysis can be done manually.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@doomedraven @ParkWork5