Timemachine for full PCAP

Published by Matt Clemons on

Timemachine is just raw pacp and while it does integrate with Bro, Moloch’s gui is way waaaaayyy better.

Command line is king.

1. Install prereqs

yum install cmake make gcc gcc-c++ flex bison l openssl-devel python-devel swig zlib-devel git numactl numactl-devel httpd-tools readline readline-devel

2. Grab timemachine
git clone –recursive git://git.bro.org/time-machine

3. Install
cd time-machine

./configure  –prefix=/opt/timemachine –conf-files-dir=/etc/timemachine
make
make install

mkdir /pcap
mkdir /pcap/timemachine
mkdir /pcap/timemachine/indexes
mkdir /pcap/timemachine/queries

4. Config. Here’s an example /etc/timemachine.cfg

main {
## The device to sniff.
device “eth1”;

## Directories for packet captures, logs, and indexes.
workdir “/pcap/timemachine”;
indexdir “/pcap/timemachine/indexes”;
queryfiledir “/pcap/timemachine/queries”;

## Name for the log to be stored in <workdir>
logfile “timemachine.log”;

## Set this value to ‘1’ for daemon mode
daemon 1;
## If you are running in daemon, this has to be 0
console 0;

## How often in seconds timemachine should log stats.
log_interval 600;

## A BPF filter to apply before sniffing any traffic.
filter “not esp and not tcp port 443 and not udp port 4500 and not udp port 500”;

## Tune the length of time that TimeMachine will retain
## information about connections to correctly perform
## the connection cutoff feature.
conn_timeout 180;

## Set this to ‘0’ to disable the remote console.
#rmtconsole  1;
#rmtconsole_listen_addr 127.0.0.1;
#rmtconsole_port 42042;

## If TimeMachine was built Broccoli support, this
## will enable it and the other options will configure
## how it behaves.
#bro_listen 1;
#bro_listen_port 47757;
#bro_listen_addr 127.0.0.1;

## Index configuration.
## Default is to enable all indexes w/disk index
index “connection4” disk;
index “connection3” disk;
index “connection2” disk;
index “ip” disk;
}

class “else” {
filter “”;
precedence 10;
cutoff 10k;
disk 190000g;
filesize 1g;
mem 1g;
}

class “http” {
filter “port 80 and port 8080”;
precedence 50;
cutoff 256k;
disk 190000g;
filesize 1g;
mem 1g;
}
class “dns” {
filter “udp port 53 and tcp port 53”;
precedence 50;
cutoff 10k;
disk 190000g;
filesize 1g;
mem 1g;
}
class “smtp” {
filter “tcp port 25 and tcp port 587”;
precedence 50;
cutoff 1m;
disk 190000g;
filesize 1g;
mem 1g;
}

5. Start it.
/opt/timemachine/bin/timemachine

6. Sit back and watch your disk fill up.

7. Install and learn tshark, and other tools in the wireshark suite.

Categories: Uncategorized

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Uncategorized

Open ports when you can’t open ports

Accessing resources remotely without cumbersome jumpboxes and dealing with restrictive red tape has been a recurring challenge for many. In this blog post, I will introduce a method to seamlessly extend your Wide Area Network Read more…

Uncategorized

Simple Method to push any PCAP through a Router

Introduction: Have you ever wanted to test how a system reacts, displays information, or handles attacks by pushing a bunch of PCAP (Packet Capture) files through a router or an Intrusion Detection and Prevention System Read more…

Uncategorized

ASM Cheat sheet

Back to basics.  Everything needed to learn ASM is available for free online.  Art of ASM book:http://www.plantation-productions.com/Webster/www.artofasm.com/Windows/HTML/AoATOC.html It starts you off with High Level Assembly which is more like a traditional programming language.  Towards the end, you’ll Read more…