To work with and discover the nature of the data you intend to utilize a traffic capture file will likely be necessary to generate a .pcap file to ingest with the stub function of Zentral. In Zentral this is possible utilizing Datumize Data Dumper (DDD) , however it is possible to generate a .pcap in Windows and in Linux. Once the .pcap is generated, please see the Zentral user guide for more in-depth information about working with stubs and pipelines.
Generate a .pcap in Windows
- Install Wireshark
- Execute this command as administrator, where
C:\Program Files\Wireshark\tshark is the tshark directory (depends on machine's installation).
"C:\Program Files\Wireshark\tshark" -b "duration:60" -B 65535 -f "tcp and http.request.uri != ‘/services/hotelsendpoint’” -ni 1 -w C:\Users\%username%\Desktop\output.pcap
BASH
Explanation:
- -b duration:60 generates one file every minute.
- -B capture Buffer Size: 65535 increase the packet buffer size
- -ni 1 capture from the interface number one (windows is numbering interfaces).
- -f "tcp" captures http traffic. -f indicates the filtering. For example could filter URL or services that we don’t want with the following: http.request.uri != "/services/hotelsendpoint"
- -w output.pcap the output will be in the form.
Generate a .pcap in Linux
- Install tcpdump if is not installed
- Run the following command as sudo:
sudo tcpdump -U -nOB 65535 -i <device-name> tcp -G 60 -s 20480 -w %d_%m-%H_%M_%S.pcap
BASH
Explanation:
- device_name is the interface where we will capture. -i any to capture from everyone.
- tcp is the filter. Will capture just tcp traffic.
- -G 60 it will generate a file every 60 seconds.
- -s snaplength: 20480 adjust snaplength.
- -w <path_file.pcap> location and filename of the capture.
Type CTRL+C to stop any of the above commands when running.
Using the .pcap in Zentral
To utilize the newly created stub, please see the following page for more information: Testing a Pipeline