From c2dcc2388b5ecb586829ef65d029869112bb6560 Mon Sep 17 00:00:00 2001 From: Nick Baggott Date: Mon, 4 Apr 2011 14:34:16 -0700 Subject: [PATCH] replace README --- README.html | 468 ++++++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 64 ------- 2 files changed, 468 insertions(+), 64 deletions(-) create mode 100644 README.html delete mode 100644 README.md diff --git a/README.html b/README.html new file mode 100644 index 0000000..b4caa97 --- /dev/null +++ b/README.html @@ -0,0 +1,468 @@ + + + + + Pcapr.Local + + + + +
+

Pcapr.Local

+
+
+

Pcapr.Local is a gem that can automatically parse any packet capture and create a .par file suitable for generating a Scenario in Mu Studio. It's designed to help you create Scenarios for proprietary protocols that need custom Wireshark dissectors (pcapr.Local uses the locally-installed Wireshark application when indexing a .pcap).

+

This document provides details for the following:

+ +

After installing and configuring Pcapr.Local, you can copy or move your pcap files to the designated pcaps directory and Pcapr.Local will automatically index those files. Then, using a web browser, you can view the list of pcaps and their indexes, generate reports, or download the index as a PAR file that you can use in Mu Studio to create a Scenario.

+

Requirements

+

To run pcapr.Local, you must install it on a system that also includes the following:

+ +

back to top ↑

+

 

+

Installing & Configuring

+

After ensuring that your Linux system has all the necessary pre-requisites for running Pcapr.Local, you can download the pcapr-local gem and configure it for your system.

+

You can install and run pcapr.Local as a root user or as a regular (non-root) user. If the Linux system has Internet connectivity, you can use the gem command (supported by rubygems) to quickly download and install the Pcapr.Local gem. Otherwise, you'll need to manually download the gem and copy it to the Linux system before installing.

+

After installing the gem, configure the gem by answering a few questions about where you want to store pcaps and indexes, the IP and port on which you want to access pcapr.Local, and the location of your CouchDB service (your answers are saved as a configuration file at: ~/.pcapr_local/config). When configuration is complete, the pcapr server process continues running in the background, performing tasks such as checking for new pcaps and creating indexes.

+

To view activities during configuration, tail the pcapr.Local log file with the command: tail -F ~/pcapr.Local/log/server.log

+

To Install Pcapr.Local:

+

To install over the Internet:

+
    +
  1. Login to the Linux system on which you want to install pcapr.Local.
    2. +
  2. Install the pcapr-local gem using the gem command: +

    gem install pcapr-local

    +
    3. +
+

To install manually:

+
    +
  1. Download the pcapr.Local gem from http://rubygems.org/gems/pcapr-local.
    2. +
  2. Copy the gem to the Linux system on which you want to install the gem.
    3. +
  3. Login to the Linux system.
    4. +
  4. Change to the directory that contains the gem, then install it using the gem command: +

    gem install pcapr-local.gem

    +
    5. +
+

To Configure Pcapr.Local:

+
    +
  1. Run the configuration tool using the startpcapr command:
    2. +
+
+

startpcapr

+

This command starts the configuration process in which you'll be asked several questions.

+
+
    +
  1. Answer the following seven (7) questions when prompted:
    2. +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Question Answer
A. Where should pcapr.Local store user files?

[/root/pcapr.Local]

+

Press Enter to accept this default. This sets the directory for storing all pcapr-related files.

B. Which directory would you like to scan for indexable pcaps?

[/root/pcapr.Local/pcaps]

+

Press Enter to accept this default. This sets the directory for storing packet captures. Any .pcap file you place in this directory will be automatically indexed by pcapr.Local.

C. Where would you like to store index files?

[/root/pcapr.Local/indexes]

+

Press Enter to accept this default. This sets the directory for storing .pcap indexes. Indexes are automatically created for every .pcap file in the pcapr.Local/pcaps directory (or whatever directory you specified as the pcap repository in question A).

D. What IP address should pcapr.Local run on?

[127.0.0.1]

+

Press Enter to accept this default. This sets the IP address at which you can access pcapr.Local. For example, if you want to access pcapr.Local at IP address 10.10.1.175 , you should enter that address here.

E. What port should pcapr.Local listen on?

[8080]

+

Press Enter to accept this default. This sets the port at which you can access pcapr.Local. For example, if you want to access pcapr.Local at 10.10.1.175:8888, you should enter 8888 here.

F. Pick a name for your CouchDB database (database will be created automatically).

[pcapr_local_root]

+

Press Enter to accept this default. This creates a CouchDB database for pcaps and their indexes.

G. pcapr.Local requires CouchDB to run. Where is your CouchDB server?

[http://127.0.0.1:5984]

+

If you have not yet configured a username and password for the CouchDB service, press Enter to accept this default.

+

However, if you have configured a username and password for the CouchDB service, you must provide those user credentials. Type the following and then press Enter:

+

http://user:password@127.0.0.1:5984

+
    +
  1. After answering all questions, the following message confirms a successful installation:
    +
    2. +
+ + + + + +

Thank you. Configuration is saved at /root/.pcapr_local/config.
+ Starting server at ip:port
+ Log is at /root/pcapr-directory/log/server.log
+ Moving server process to the background. Run 'stoppcapr' to stop the server.

Where ip:port are values given in questions D and E.

+

Where pcapr-directory is the value given in question A.

+

You are now ready to copy your .pcap files into the pcap directory, where pcapr.Local will automatically index them and create PAR files that you can use in Mu Studio to generate Scenarios.

+

back to top ↑

+

Using Pcapr.Local

+

After installing and configuring pcapr.Local, you can copy your .pcap files into the pcap directory, where pcapr.Local will automatically index them and create a .par file (a Pcap ARchive, or PAR) that you can use in Mu Studio to generate Scenarios. (A PAR file contains dissection data from your local Wireshark installation, enabling you to use custom dissectors for proprietary protocols.)

+

When you've moved some pcaps into the pcaps directory, you are ready to use the Pcapr.Local UI to view the indexes for those pcaps. The UI has three components:

+ +

Keep in mind that any changes made at the command line will take about a minute to appear in the UI.

+

To View Indexes & Get PAR files:

+
    +
  1. Add packet captures into the pcaps directory (/root/pcapr.Local/pcaps by default). For example, to move all .pcap files from a local directory to the pcaps folder on the Linux system, type:
    2. +
+
+

scp *.pcap root@linux-ip:pcapr.Local/pcaps

+
+
    +
  1. Wait about about a minute. Pcapr.Local checks the pcap directory every 60 seconds, indexing any new pcaps automatically.
    2. +
  2. Using your web browser, view the indexed pcaps at http://ip:port/home/index.html (where ip:port is IP address and port on the Linux system you configured during pcapr.Local configuration).
    3. +
  3. Select the .pcap for which you want to view details:
    +
      +
    • Clicking the file.pcap link takes you to pcapr.net, where you can use xtractor to explore the indexed pcap.
      • +
    • Selecting indexed returns you to the list of indexed pcaps.
      • +
    +
    4. +
  4. Click PAR file to download the .par file for that .pcap.
    +
    5. +
  5. In Mu Studio, import the .par file to create a Scenario. Because the packet capture has already been dissected, the generation process skips flow selection and automatically displays the Scenario Editor.
    6. +
+

back to top ↑

+

Tips & Tricks

+

The following section includes tips and tricks for using pcapr.Local.

+

Pcapr.Local Doesn't See Pcaps

+

If you added pcaps to the pcap directory but they don't appear in the list of indexed pcaps, try the following:

+ +

Cannot Download a PAR File

+

If you get an error when attempting to download the PAR file for a pcap, you probably don't have Zip installed on your Linux system. Try installing Zip (on Ubuntu, type apt-get install zip) then try to download the PAR file again (you don't need to re-index the pcap).

+

Starting & Stopping Pcapr.Local

+ +

Organizing Pcaps

+

When managing large numbers of pcaps, use the command line to create subdirectories in the pcaps directory (mkdir directory-name), then place pcaps files in these subdirectories. Pcapr.Local will automatically index any .pcap file in the main pcaps directory and any included subdirectories.

+

In the pcapr.Local UI, select the Folders tab to view a list of subdirectories in the pcap directory. However, you'll need to put at least one pcap into a subdirectory before that directory will appear in the Folders tab (and you might need to wait up to 60 seconds).

+

Getting PAR files From the Command Line

+

You can create PAR files at the command line instead of using the pcapr.Local UI.

+
    +
  1. Login to the Linux system running pcapr.Local.
    2. +
  2. Change to the pcaps directory.
    3. +
  3. Specify the name of the pcap using the pcap2par command: +

    pcap2par filename.pcap

    +
    4. +
+
+

This command creates a PAR file called export.par in the current directory.

+

To specify the location and name of the .par file, use a path argument with the pcap2par command. For example:

+

pcap2par my-test-traffic.pcap ~/par_files/my-test-traffic.par

+

This command creates a .par file named "my-test-traffic.par" in the "par_files" directory.

+
+

back to top ↑

+
+ + + diff --git a/README.md b/README.md deleted file mode 100644 index f858e31..0000000 --- a/README.md +++ /dev/null @@ -1,64 +0,0 @@ -# pcapr.Local # - -## Introduction - -pcapr.Local is a tool for browsing and managing a large repository of packet captures (pcaps). After you tell pcapr.Local where your pcaps are located, it will index them automatically and let you navigate your collection in the comfort of your web browser. pcapr.Local builds on and integrates with [Xtractr](http://code.google.com/p/pcapr/wiki/Xtractr) so you can analyze your pcaps in the Xtractr web UI. The Xtractr web UI is hosted on pcapr.net but talks to a local Xtractr instance (managed by pcapr.Local) and your data never leaves your network. - -In addition to managing your pcaps, you can use pcapr.Local to leverage your custom wireshark dissectors when creating Scenarios in Mu Studio. PAR files (described below) created by pcapr.Local can be imported into Mu Studio just like a pcap, but Mu Studio will use your wireshark data to guide Scenario creation. - -## Dependencies - -### CouchDB -CouchDB needs to be available. Either or local or remote installation will work. On Ubuntu/Debian you can install CouchDB with: - - $ sudo apt-get install couchdb - -### Wireshark - -You need to have wireshark installed. In particular the command line "tshark" utility should be available. - -### Ruby - -Tested with Ruby 1.8.6, 1.8.7, and 1.9.2. - -## Supported environments - -Linux only. Sorry. - -## Running pcapr.Local - -1. Install the gem. -2. Run the "startpcapr" executable that is installed with the gem: - - $ startpcapr - -This will ask you some basic questions, and will record your answers in a config file at ~/.pcapr_local/config that will be used on subsequent invocations. After collecting configuration information, the server process will continue running in the background and you'll get your prompt back. If you like to keep an eye on what's going on you can tail the pcapr.Local log file with: - - $ tail -F ~/pcapr.Local/log/server.log - -3. Add pcaps to the pcap directory you configured (default ~/pcapr.Local/pcaps) and wait a short while for them to be noticed and indexed (about a minute). -4. Point your browser to http://localhost:8080 (or whatever you configured). -5. If you want to stop the pcapr.Local server you can do so with: - - $ stoppcapr - -## Creating PAR files - -A PAR file (Pcap ARchive) is a format that can be imported onto a Mu Studio to create a Scenario. For purposes of Scenario creation, a PAR file is equivalent to the starting pcap with a couple of exceptions: - -1. The PAR file contains wireshark dissection data from your local wireshark installation. This means you get the full benefits of any custom dissectors you may have. -2. When you import a PAR you'll bypass the normal flow selection page and go directly to the Scenario editor. - -### In the GUI - -Select a pcap in the pcapr.Local browser. The page that opens has a link at the bottom that lets you download a PAR file for that pcap. - -### On the Command Line - -The gem bundles a CLI tool for creating PAR files called 'pcap2par'. Usage is very simple, just provide a path to your pcap: - - $ pcap2par my_traffic.pcap - -This will create the PAR file called "export.par" in the current directory. You can optionally specify the output file as a second argument: - - $ pcap2par my_traffic.pcap ~/par_files/my_traffic.par