How to: Packet Capture in VIRL



    This post relates to our Mar 2016 webinar that demonstrates how to use VIRL's Packet Capture feature from User Workspace Management (UWM) and VM Maestro (VMM). The feature includes two methods; one, capture to file and two, live capture. Both methods are supported on all platforms and scripts included in this post will relief some of the command line burden.





    As a general statement, it is strongly recommend that you use the latest version of Wireshark. While Windows users do not have to install Nmap, you do need to install a NetCat application. NetCat (nc) is needed to connect to the listening socket on the VIRL server when performing live captures. There is a standalone netcat.exe which you may download from HERE. This tutorial and Webinar assumes that you have installed the Nmap application and all examples and demonstrated scripts will reflect this assumption.


    Useful Links


    What is covered

    1. Offline Packet Capture
    2. Live Packet Capture
    3. Basic pcap Filters


    Offline Packet Capture

    This option lets the VIRL server handle the collection of data packets and send them to a file stored on the VIRL server. The capture can be applied with standard PCAP filters or left blank so the user can filter the capture directly from Wireshark. To save the capture, the user must download the capture file and save it locally.


    Live Packet Capture

    This option opens a listening port on the VIRL server, to allow an external packet sniffer application (ex. Wireshark) to connect and display the packet flow as it happens. This capture can be started with or without a PCAP filter. There is no pcap file generated on the VIRL server as all of the output is sent directly to the live port. To view and manipulate the capture, Wireshark must be connected to the VIRL server via the assigned live port.


    Scripts for Live Packet Capture

    These and other helpful scripts can also be found on GitHub virl-utils


    Basic pcap Filters

    The filter is looking for attributes specified, meaning that a captured packet must contain all or some of the attributes. For example; setting a filter to capture pings and ARP messages like this: icmp and arp would produce an error and the filter would not be applied. This is because a single packet cannot be a unicastmessage and a broadcast message at the same time. So the correct syntax would be like this: icmp or arp; which would capture all ping and ARP messages.


    Port Numbers and Protocols

    Examples of pcap filters

    Capture packets with source or destination port 53 and 80
        udp port 53 or tcp port 80

    Capture packets with destination port 80 (http)
        tcp dst port 80

    Capture icmp and arp packets
        icmp or arp


    Capture all packets with source or destination network that starts with 10.
        net 10

    All packets with source or destination network that starts with 172.16.1

        net 172.16.1

    All packets matching source network

        src net [network]
    All packets matching destination network

        dst net [network]



    Alternate Script for Live Packet Capture


    For Windows (alt.)

    Script Name: live_pcap.cmd


    • Download script to your computer
    • Open the script with your favorite text editor and edit the following line:
      • Replace with your VIRL server's IP address (leave the quotes in place)
      • set VIRL_HOST=""
    • Save the file.


    Running Script

    Connect to a Live Packet Capture, start the script from Run windows or CMD utility like this:

    C:\path\to\script\live_pcap.cmd [live_port]


    The pre-requisites outlined above must be met before you can successfully run this script.