Captureing network traffic and MaxMind GeoLite databases

[ghost]

Hello,

I need your help on two points:

1. I want to record a PCAP file using the decoder.

I try the following command:

decode -d writer -i INTERFACE -o pcap FILE NAME

He gives me the following error message:

WARNING:writer:rawHandler() got an unexpected keyword argument 'smac'

Do you know what it is?

2. The Dshell guide says that you should copy the following databases into the GeoIP folder:

GeoIP.dat, GeoIPv6.dat, GeoIPASNum.dat, GeoIPASNumv6.dat

The linked URL "https://dev.maxmind.com/geoip/geoip2/geolite2/" only has the GeoLite2 databases left:

GeoLite2 City, ... Country, ... ASN

These contain databases, but no longer the files mentioned above.

Does this still work?

[dev195]

1.

Looks like a bug. I just patched it and will push the fix shortly. Afterwards, a command like this should get it working: decode -d writer -o pcap=test.pcap -i INTERFACE

Also, if you are only reading packets from an interface, I recommend using a compiled tool like tcpdump instead of Dshell. It's faster.

2.

To my knowledge, the new GeoIP data files do not work with the old GeoIP library. We are aware of this, and fixing it is moving higher on the priority list!

Hopefully we'll have an update posted in a few days. I'll tag this issue as both updates are posted.

[ghost]

Thanks for the quick answers!

I am looking forward to the updates!

[ghost]

Top! Thanks a lot!

Can I simply exchange the file or do I have to completely reinstall / configure Dshell?

[dev195]

You can just replace writer.py. Everything else stayed the same.

[ghost]

Thank you. I'll try tomorrow morning and give you some feedback.

[ghost]

Sorry, the fix for writyer.py prints the following after entering and adjusting your suggestion for the captureing:

Error 'invalid syntax (writer.py, line 7)' loading module decoders.misc.writer Can only run one module live on an interface

[dev195]

Thanks for the info! We're looking into it, and will post something when it is working.

[dev195]

Sorry for the delay. I just pushed the geoip2 update.

I tried running the 'writer' decoder on this side, and could not recreate the error. Is it possible for you to post the exact command you are attempting to run?

[ghost]

Hello!

No problem! I am happy about the generally very fast answers from you!!!

I cannot post the exact order here. It has been approximately as follows:

decode -d writer enp0s3 -W FILE-NAME

Does that help?

[dev195]

I am trying to recreate the error, but the command seems to work properly on my system.

Is it possible for you to run the command with a --debug flag and post traceback output?

[ghost]

Hey!

Excuse my late answer, please.

I will reinstall Dshell in a few weeks and then have a look at both decoders again.

I hope this is ok for you.

Thanks a lot for your quick help!

[dek443]

The Python 2 version of Dshell is now deprecated and frozen as Release v2.4.10. We are closing all Pull Requests and Issues associated with that version, as Dshell development has shifted to the current version for Python 3. Thank you for your support.