Menu
▾
▴
Re: [Openfpc-users] Openfpc usage
|
From: Leon W. <le...@le...> - 2015-08-21 10:22:40
|
Hi, I found this interesting and I hadn't noticed that mergecap had moved to default to pcap-ng. It's clear that Snort, and tcpdump both work with it fine (at least on the systems I use here). Tshark is able to read the pcapng file, just not from STDIN. I've never tried to pipe something to tshark like this before so I don't know the limitations. pcapng is also the new standard format for all wireshark (as of 1.8, according to the Internets) including tshark. Is it tshark you're specifically trying to use, and is there a reason why you can't open the file via -r? lward@openfpc:~/openfpc$ tshark -h |grep stdin -r <infile> set the filename to read from (no pipes or stdin!) Glad that there is a simple fix for you, but I'm asking all of these questions to work out of I should make this change by default. On Fri, Aug 21, 2015 at 1:17 AM, Igor Kaplan <igo...@gm...> wrote: > Hi all, > > > > Sorry for my last message. Everything is fine now. It was completely my > folt. Was connecting to wrong ip address! > > The –F switch for the mergecap utility fixed the problem. > > > > Thanks. > > > > *From:* Igor Kaplan [mailto:igo...@gm...] > *Sent:* Thursday, August 20, 2015 5:16 PM > *To:* 'Leon Ward' > *Cc:* ope...@li... > *Subject:* RE: [Openfpc-users] Openfpc usage > > > > Hi Leon, > > > > Need your help please once again. > > Got the following problem and spent several hours trying to solve it. > > > > When making the API call to fetch the pcap data I am getting the data in > pcapng format. > > The OpenFPC is using the mergecap to merge pcap files and by default > mergecap creates the output in pcapng format instead of pcap. > > > > I have changed the following line in openfpc-default.conf file > > MERGECAP=/usr/bin/mergecap -F pcap > > > > This helped when I use the openfpc-client command to create pcap files, > however when I use curl to fetch the data I still receive the output in > pcapng format. > > > > curl -k > 192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F-C061B4CE8A48\&stime=20150818%2010:00\&etime=20150818%2010:30\&dpt=22 > <http://192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F-C061B4CE8A48%5C&stime=20150818%2010:00%5C&etime=20150818%2010:30%5C&dpt=22> > > list.pcap > > > > cat list.pcap|tshark -i- > > Capturing on 'Standard input' > > tshark: Unrecognized libpcap format > > > > Looks like in case of API call the mergecap utility is not used at all. > And I was not able to find in the code how merging is done in this case. > > > > Could you please help me. Is it possible to make the fetch API call to > return the data in pcap format? > > > > Thanks so much! > > > > Igor > > > > > > *From:* leo...@gm... [mailto:leo...@gm...] *On Behalf > Of *Leon Ward > *Sent:* Tuesday, August 18, 2015 1:29 PM > *To:* Igor Kaplan > *Cc:* ope...@li... > *Subject:* Re: [Openfpc-users] Openfpc usage > > > > Actually it wont. It will only remove the oldest PCAP file. It's best to > keep those PCAP files on their own partition. > > The old flow records in mysql actually get removed automatically based on > the oldest packet in the store. So you won't have records that are older > than the pcaps. > > > > -L > > > > > > On Tue, Aug 18, 2015 at 6:21 PM, Igor Kaplan <igo...@gm...> wrote: > > Hi Leon, all, > > > > I have one more question please. > > > > Based on the documentation the following line in the openfpc config file > restricts the space usage of captured data to 50 percent: > > PCAP_SPACE=50 > > > > So, if the data size exceeds 50 percent old files will be deleted > automatically? > > Will openfpc also delete the old MySQL session tables? > > > > Many thanks and all the best! > > > > -Igor. > > > > > > *From:* leo...@gm... [mailto:leo...@gm...] *On Behalf > Of *Leon Ward > *Sent:* Monday, August 17, 2015 11:51 AM > *To:* Igor Kaplan > *Cc:* ope...@li... > *Subject:* Re: [Openfpc-users] Openfpc usage > > > > Hi, > > > > Documentation is really one of the places that really needs some extra > focus. > > > > The best docs I can point you to are in that folder, plus there is some > out-of date info on my blog http://www.leonward.com. > > I actually delivered a presentation at Defcon last weekend all about > OpenFPC. I have forwarded the slides separately. Hopefully that will help > as well. > > > > As for your specific question about OpenFPC GUI. That's actually now been > deprecated as it's no longer relevant for how it functions in a distributed > manner. The OpenFPC-Chrome Extension will be the next best thing for > interacting with the QueueDaemon remotely in a GUI-like way. > > > > Cheers, > > > > -L > > > > > > > > On Mon, Aug 17, 2015 at 4:25 PM, Igor Kaplan <igo...@gm...> wrote: > > Hi All, > > > > My name is Igor. I just found the OpenFPC and evaluating it. Looks like > it is very good tool. > > I successfully installed on Ubuntu 14.4 with Perl 5.18 > > I have installed the OpenFPC-master, so it is the latest code. > > > > Now I would like to find out if there is more documentation beside files > which I could find under docs directory. > > For example the INSTALL.md refers to the USAGE document, however I was > not able to find it anywhere > > > > I am looking for the usage other then basic, just to find out, what are > my advanced options. > > > > For example the openfpc-dbmaint.sh script is also able to create the gui > database, I wonder, what it is for? > > > > The OpenFPC looks to be very powerful, just would like to understand it as > best as I can. > > > > Would so much appreciate any reply’s. > > > > Many thanks. > > > > Igor. > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Openfpc-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Openfpc-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > |
