This post relates to our Mar 2016 webinar that demonstrates how to use VIRL's Packet Capture feature from User Workspace Management (UWM) and VM Maestro (VMM). The feature includes two methods; one, capture to file and two, live capture. Both methods are supported on all platforms and scripts included in this post will relief some of the command line burden.
As a general statement, it is strongly recommend that you use the latest version of Wireshark. While Windows users do not have to install Nmap, you do need to install a NetCat application. NetCat (nc) is needed to connect to the listening socket on the VIRL server when performing live captures. There is a standalone
netcat.exe which you may download from HERE. This tutorial and Webinar assumes that you have installed the Nmap application and all examples and demonstrated scripts will reflect this assumption.
What is covered
- Offline Packet Capture
- Live Packet Capture
- Basic pcap Filters
Offline Packet Capture
This option lets the VIRL server handle the collection of data packets and send them to a file stored on the VIRL server. The capture can be applied with standard PCAP filters or left blank so the user can filter the capture directly from Wireshark. To save the capture, the user must download the capture file and save it locally.
Live Packet Capture
This option opens a listening port on the VIRL server, to allow an external packet sniffer application (ex. Wireshark) to connect and display the packet flow as it happens. This capture can be started with or without a PCAP filter. There is no
pcap file generated on the VIRL server as all of the output is sent directly to the live port. To view and manipulate the capture, Wireshark must be connected to the VIRL server via the assigned live port.
Scripts for Live Packet Capture
These and other helpful scripts can also be found on GitHub virl-utils
Basic pcap Filters
The filter is looking for attributes specified, meaning that a captured packet must contain all or some of the attributes. For example; setting a filter to capture pings and ARP messages like this:
icmp and arp would produce an error and the filter would not be applied. This is because a single packet cannot be a unicastmessage and a broadcast message at the same time. So the correct syntax would be like this:
icmp or arp; which would capture all ping and ARP messages.
Port Numbers and Protocols
Examples of pcap filters
Capture packets with source or destination port 53 and 80
udp port 53 or tcp port 80
Capture packets with destination port 80 (http)
tcp dst port 80
icmp or arp
Capture all packets with source or destination network that starts with 10.
All packets with source or destination network that starts with 172.16.1
All packets matching source network
src net [network]
All packets matching destination network
dst net [network]
Alternate Script for Live Packet Capture
For Windows (alt.)
Script Name: live_pcap.cmd
- Download script to your computer
- Open the script with your favorite text editor and edit the following line:
- Replace your.host.ip.address with your VIRL server's IP address (leave the quotes in place)
- Save the file.
Connect to a Live Packet Capture, start the script from Run windows or CMD utility like this:
The pre-requisites outlined above must be met before you can successfully run this script.