In recent days Daniel Borkmann has released a new version of net-sniff-ng, in this new version there are many improvements and new feature. With the last version 0.5.6 net-sniff-ng can be used with Xplico without apply any patch.
So we recommend to all Xplico users to use the last version of net-sniff-ng.
To use net-sniff-ng as a network probe for Xplico on the ethernet interface eth0, with the pcap files in /opt/xplico/pol_1/sol_1 (ie first case and first session in the first case) and with an acquisition time interval of 300 seconds (5 minutes) the command to be use is:
sudo netsniff-ng -i eth0 –out /opt/xplico/pol_1/sol_1/new –silent –jumbo-support –interval 300
Enjoy with net-sniff-ng!
As many Xplico users know, the Xplico “Live capture” is not the great solution to capture the network traffic. The “Live capture” was introduced only for the purpose of demonstration and it can not be considered a proper mode to capture network data.
From 0.6.2 version we have improved the “real time capture” (=> Live capture), but these improvements have not solved (and can not solve) some limits (deliberately) imposed on Xplico. Currently, the real time capture is performed by a plug-in (module) belonging to the Xplico capture modules and not from a separate application. This capture module uses the libpcap to capture data from the network adapter.
In this context Xplico can lose data (packets) for two reasons:
- real-time capture module is not designed to hi speed network traffic
- the Xplico I/O monitoring: the Xplico (decoder) controls the memory/threads/data used and, as feedback, it imposes a slowing of incoming data (with the capture module). If the input data is a pcap file there are no consequences, but if the input is the network card then we can lose the data.
How to solve this problem? Simple, using applications (or/and hardware) designed specifically for this purpose, that of Network Probes. We want to mention here two projects that have as their objective the capture of high network traffic data and use techniques that minimize the likelihood of data loss.
- it is completely open source (GPLv2)
- its main goal is to be a high performance network sniffer
- it uses ‘zero-copy’ mechanisms
- Berkeley Packet Filter to the socket in order to pre-filter traffic within the kernel
If you are interested in trying netsniff-ng with Xplico what you have to do is:
- download netsniff-ng from the git repository (remember that netsniff-ng is in continuous development)
- copy netsniff-ng-xplico file in netsniff-ng/src/netsniff-ng.c
sudo make install
/opt/xplico/script/session_mng.pyc -n netsniff test
use the session_mng.pyc output:
Put the pcap files here: /opt/xplico/pol_1/sol_1/new
in the next command
sudo netsniff-ng --in eth0 --out dump.pcap --silent --dump-path /opt/xplico/pol_1/sol_1/new --dump-frequency 10