OPENSOURCE SCRIPT LIBRARY
Scripting is an essential part of the FMADIO packet capture systems as packet capture is only the first step in the process of understanding your network traffic. We have released a small (but growing) library of commands to help integrate into your environment.
SCRIPT INTEGRATION
To get started here`s the link on Github.
https://github.com/fmadio/fmadio_scripts
It`s currently not much but expect it to grow and evolve based on your needs and requests.
MIRROR CAPTURE DATA ON REMOTE MACHINE
The purpose is to "rsync a capture" so to speak with a twist. You can run in follow mode, so it constantly downloads new data of the currently active capture. Also you can choose how the data is split! e.g. 1 minute PCAP`s or 1GB PCAP`s or any of the other options. It does lazy state evaluation too, so already downloaded files are skipped the same as rsync.
Here`s an example of rsyncing the currently active capture at 1 second PCAP splits in follow/poll mode (download new data as it arrives).
$ ./capture_rsync.py --follow --host 192.168.1.1 --split split_1sec Follow Mode [./py4_160105_16:12:20.211.165.440 ] Downloading... 0.000 GB 0.877 sec 0.000000 Gbps [./py4_1618_20160105_16:18:50.749.243.904 ] Downloading... 0.343 GB 29.817 sec 0.091988 Gbps [./py4_1618_20160105_16:18:51.749.243.904 ] Downloading... 0.415 GB 38.029 sec 0.087294 Gbps [./py4_1618_20160105_16:18:52.749.243.904 ] Downloading... 0.488 GB 42.962 sec 0.090792 Gbps [./py4_1618_20160105_16:18:53.749.243.904 ] Downloading... 0.436 GB 43.522 sec 0.080117 Gbps [./py4_1618_20160105_16:18:54.749.243.904 ] Downloading... 0.110 GB 0.949 sec 0.931275 Gbps [./py4_1618_20160105_16:18:55.749.243.904 ] Downloading... 0.100 GB 0.860 sec 0.928788 Gbps [./py4_1618_20160105_16:18:56.749.243.904 ] Downloading... 0.109 GB 0.941 sec 0.930891 Gbps [./py4_1618_20160105_16:18:57.749.243.904 ] Downloading... 0.099 GB 2.317 sec 0.341684 Gbps [./py4_1618_20160105_16:18:58.749.243.904 ] Downloading... 0.078 GB 0.760 sec 0.820824 Gbps [./py4_1618_20160105_16:18:59.749.243.904 ] Downloading... 0.064 GB 0.784 sec 0.648858 Gbps [./py4_1618_20160105_16:19:00.749.243.904 ] Downloading... 0.099 GB 3.152 sec 0.250963 Gbps [./py4_1618_20160105_16:19:01.749.243.904 ] Downloading... 0.108 GB 1.268 sec 0.678948 Gbps [./py4_1618_20160105_16:19:02.749.243.904 ] Downloading... 0.113 GB 1.512 sec 0.596313 Gbps . . .
DOWNLOAD CAPTURE DATA ON REMOTE MACHINE WITH FILTERING
Used when you want to download only data from an IP range or Protocol specific packets. e.g. save on network bandwidth/time by downloading specific data your interested in. This feature helps speed up analysis and troubleshooting.
In the example below we`re downloading all data in the subnet 192.168.1.0/24 in follow/poll mode with 1GB PCAP splits. Note the filter is applied to 1GB source PCAP`s on the FMADIO device, with the filtered result sent down the network.
$ ./capture_rsync.py --host 192.168.1.1 --output fmadio20 --filter FilterIPHost=192.168.1.0/24 --follow Follow Mode [fmadio20_landata_20160105_2145_split_1GB/landata_20160105_2145__20160105_21:46:14.660.095.232 ] Downloading... 0.264 GB 3.971 sec 0.532612 Gbps [fmadio20_landata_20160105_2145_split_1GB/landata_20160105_2145__20160105_21:46:54.697.121.792 ] Downloading... 0.380 GB 7.556 sec 0.402748 Gbps [fmadio20_landata_20160105_2145_split_1GB/landata_20160105_2145__20160105_21:47:43.308.749.568 ] Downloading... 0.072 GB 1.186 sec 0.484051 Gbps Sleeping... [fmadio20_landata_20160105_2145_split_1GB/landata_20160105_2145__20160105_21:48:05.748.449.280 ] Downloading... 0.000 GB 1.226 sec 0.000267 Gbps [fmadio20_landata_20160105_2145_split_1GB/landata_20160105_2145__20160105_21:48:24.473.020.672 ] Downloading... 0.000 GB 1.933 sec 0.000176 Gbps [fmadio20_landata_20160105_2145_split_1GB/landata_20160105_2145__20160105_21:48:50.867.348.736 ] Downloading... 0.000 GB 1.851 sec 0.000077 Gbps [fmadio20_landata_20160105_2145_split_1GB/landata_20160105_2145__20160105_21:49:10.676.263.424 ] Downloading... 0.010 GB 2.225 sec 0.037457 Gbps Sleeping... . .
LOCAL CONFIG
As always typing in the username/password/hostname sucks and is a security risk. The scripts read a config file from ~/.fmadio.config for default parameters. An example is shown below.
$ cat ~/.fmadio.conf [General] username=fmadio password=secret hostname=192.168.1.1 protocol=http $
.. AND MORE TO COME
Its a small start, send us your requests, patches and questions. We`re more than happy to do the leg work in the library code to get you up and running as quickly as possible.