Install various Perl requiremnets. This can be taken care of with command below.
cpanm Virani
Configure it.
For example on FreeBSD if you have daemonlogger set up something like below.
daemonlogger_enable="YES"
daemonlogger_flags="-f /usr/local/etc/daemonlogger.bpf -d -l /var/log/daemonlogger -t 120"
Then a basic config would be like below.
default_set='default'
allowed_subnets=["192.168.14.0/23", "127.0.0.1/8"]
[sets.default]
path='/var/log/daemonlogger'
regex='(?<timestamp>\d\d\d\d\d\d+)(\.pcap|(?<subsec>\.\d+)\.pcap)$'
strptime='%s'
For more information on the config file, see the POD for Virani.
A example grabbing port 53 traffic below can be done like the following.
virani -s 2023-02-27T11:00:18 -e 2023-02-27T11:31:18 port 53
The time may also be specified like below.
now current time
now-30 30 seconds ago
now-30m 30 minutes ago
now-30h 30 hours ago
now-30w 30 weeks ago
So if you wanted to find all port 53 traffic in the last minute, you could do somethiing like below.
virani -s now-1m -e now port 53
The help info for virani is as below. For more info check out the POD for the module Virani and the script Virani.
--help Print this.
-h Print this.
--version Print version.
-v Print version..
-r <remote> Remote URL or config file for remote info.
-a <apikey> API key for remote URL if needed.
-f <filter> Filter for use with tshark or tcpdump.
-t <type> tcpdump or tshark
Default :: tcpdump
-t <set> Set to use. If undef, uses whatever the default is.
Default :: undef
--config <config> Config file to use.
Default :: /usr/local/etc/virani.toml
-s <timestamp> Start timestamp. Any format supported by
Time::Piece::Guess is usable.
-e <timestamp> End timestamp. Any format supported by
Time::Piece::Guess is usable.
-w <output> The file to write the PCAP to.
Default :: out.pcap
--nc If cached, do not use it.
-k Do not check the SSL cert for HTTPS for remote.
This software is Copyright (c) 2023 by Zane C. Bowers-Hadley.
This is free software, licensed under:
The GNU Lesser General Public License, Version 2.1, February 1999