Pcap stream as capture

[t.kri...@gmail.com]

Hi,

Nice to meet you all ;-)
First, I'm a newbie with security-onion.
I'm able to download an "infinite" live pcap file from my actual modem/router (fritzbox), and this is the only way i have to see what's going on with my internet.
So i don't want to monitor an interface, or maybe replay without any modification the pcap on the correct interface (eth0 in my case).
Also it seem that TCPreplay is not the rigth tool for me (full pcap traffic, not only TCP).

Is there any way to analyse this live stream with security-onion ?

Thanks for your help.

Regards,
Thomas.

[Wes]

If you are looking to monitor traffic live, have you considered simply using tcpdump?

Or maybe consider reading from a remote stream, described here:
http://www.netresec.com/?page=Blog&month=2016-10&post=Reading-cached-packets-with-Wireshark

Otherwise, the full packet capture option provided by Security Onion (netsniff-ng) is great for capturing traffic that has been forwarded to an appropriate monitor interface. Once recorded to disk, analysts can pivot from IDS alerts within Sguil (to Wireshark, NetworkMiner, full transcript, etc.) or Squert, as well as pivot from logs in ELSA to full transcript. Bro also maintains logs on all sorts of traffic and creates notices you could key off of.

You can get a better idea of all of the tools included with Security Onion here:

https://github.com/Security-Onion-Solutions/security-onion/wiki/Tools

Thanks,
Wes

[t.kri...@gmail.com]

I'm looking to monitor my VDSL modem traffic.
I haven't SPAN or TAP, but there is a way to get a pcap file in as a download stream from the modem itself. Now i'm able to get this stream and for example read it with tshark, but i don't know how to read/analyse it with "something" in security onion.
Because this is a pcap stream, i can't store it, this is endless.
I was thinking about downloading it with wget and 2>/dev/null and pipe the content (like I do for tshark) to some pcap probe/processor (but which one ? )
Sorry if I'm not clear enough

[Wes]

Thomas,

You could try configuring a single interface as a management/monitor interface, as described here, to see if that would meet your needs:

https://groups.google.com/d/msg/security-onion/dnpwhCeakuw/bFyYOQcLAwAJ

Then, you should be able to use all the tools included with Security Onion (once configured).

Otherwise, you could try looking through the following to get other ideas:

http://www.netresec.com/?page=Blog&month=2011-09&post=Pcap-over-IP-in-NetworkMiner

https://groups.google.com/d/msg/security-onion/nJYacIiKDjY/K8D8WxJaOQkJ

Thanks,
Wes

[Kevin Branch]

TCPreplay works for replaying any pcap files, not just those with tcp packets.  The "TCP" in TCPrelay refers to tcp/ip rather than the the IP protocol tcp as opposed to udp or icmp.

Kevin

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.