jbremer
commented
6 years ago At the moment I'm not really sure about tcpdump on macosx, but AFAIK it should work. Once I'm home I'll try to give it a try. Does anyone else have an idea about this?
Closed YuryDo closed 6 years ago
jbremer
commented
6 years ago At the moment I'm not really sure about tcpdump on macosx, but AFAIK it should work. Once I'm home I'll try to give it a try. Does anyone else have an idea about this?
YuryDo
commented
6 years ago Thank you for your quick reply! I digged in a little more, i've checked all the modules, that you import in sniffer.py and plugins.py and i have everything working. That is the full pip list on my side:
alabaster (0.7.10) alembic (0.8.8) altgraph (0.10.2) androguard (3.0.1) Babel (2.4.0) bdist-mpkg (0.5.0) BeautifulSoup (3.2.1) beautifulsoup4 (4.5.3) bonjour-py (0.3) cairocffi (0.8.0) CairoSVG (1.0.22) capstone (3.0.5rc2) cc (0.1) certifi (2017.7.27.1) cffi (1.10.0) chardet (2.3.0) chicken (0.1.0) click (6.6) colorama (0.3.7) cssselect (1.0.1) Cuckoo (2.0.4a5) distorm3 (3.3.4) distribute (0.7.3) Django (1.8.4) django-extensions (1.6.7) django-ratelimit (1.0.1) dmidecode (0.8.1) dnspython (1.15.0) docutils (0.13.1) dpkt (1.8.7) ecdsa (0.13) egg (0.2.0) egghatch (0.2.1) elasticsearch (5.3.0) et-xmlfile (1.0.1) Extractor (0.5) Flask (0.10.1) Flask-SQLAlchemy (2.1) functools32 (3.2.3.post2) future (0.16.0) Fuzzy (1.1) html5lib (0.999999999) HTTPReplay (0.2) idna (2.5) imagesize (0.7.1) importlib (1.0.4) inspect2 (0.1) itsdangerous (0.24) jdcal (1.3) Jinja2 (2.8) jsbeautifier (1.6.2) jsonschema (2.6.0) lockfile (0.12.2) logging (0.4.9.6) loki (0.5.6) lxml (3.8.0) M2Crypto (0.26.0) macholib (1.5.1) Mako (1.0.7) MarkupSafe (1.0) matplotlib (1.3.1) modulegraph (0.10.4) netaddr (0.7.19) numpy (1.8.0rc1) ojson (0.1.0) olefile (0.43) oletools (0.42) openpyxl (2.4.8) os3 (0.1.2) pcapy (0.11.1) peepdf (0.3.6) pefile2 (1.2.11) Pillow (3.2.0) pip (9.0.1) progressbar (2.3) psutil (5.2.2) psycopg2 (2.7.1) py2app (0.7.3) pycparser (2.18) pycrypto (2.6.1) pydeep (0.4) pyelftools (0.24) Pygments (2.2.0) pylzma (0.4.9) pymisp (2.4.54) pymongo (3.0.3) pyobjc-core (2.5.1) pyobjc-framework-Accounts (2.5.1) pyobjc-framework-AddressBook (2.5.1) pyobjc-framework-AppleScriptKit (2.5.1) pyobjc-framework-AppleScriptObjC (2.5.1) pyobjc-framework-Automator (2.5.1) pyobjc-framework-CFNetwork (2.5.1) pyobjc-framework-Cocoa (2.5.1) pyobjc-framework-Collaboration (2.5.1) pyobjc-framework-CoreData (2.5.1) pyobjc-framework-CoreLocation (2.5.1) pyobjc-framework-CoreText (2.5.1) pyobjc-framework-DictionaryServices (2.5.1) pyobjc-framework-EventKit (2.5.1) pyobjc-framework-ExceptionHandling (2.5.1) pyobjc-framework-FSEvents (2.5.1) pyobjc-framework-InputMethodKit (2.5.1) pyobjc-framework-InstallerPlugins (2.5.1) pyobjc-framework-InstantMessage (2.5.1) pyobjc-framework-LatentSemanticMapping (2.5.1) pyobjc-framework-LaunchServices (2.5.1) pyobjc-framework-Message (2.5.1) pyobjc-framework-OpenDirectory (2.5.1) pyobjc-framework-PreferencePanes (2.5.1) pyobjc-framework-PubSub (2.5.1) pyobjc-framework-QTKit (2.5.1) pyobjc-framework-Quartz (2.5.1) pyobjc-framework-ScreenSaver (2.5.1) pyobjc-framework-ScriptingBridge (2.5.1) pyobjc-framework-SearchKit (2.5.1) pyobjc-framework-ServiceManagement (2.5.1) pyobjc-framework-Social (2.5.1) pyobjc-framework-SyncServices (2.5.1) pyobjc-framework-SystemConfiguration (2.5.1) pyobjc-framework-WebKit (2.5.1) pyOpenSSL (0.13.1) pyparsing (2.0.1) pypcap (1.1.6) Pyphen (0.9.4) python-dateutil (2.4.2) python-editor (1.0.3) python-magic (0.4.12) pythonaes (1.0) pytz (2013.7) PyYAML (3.12) requests (2.13.0) scipy (0.13.0b1) setuptools (36.2.7) SFlock (0.2.15) six (1.10.0) snowballstemmer (1.2.1) specan (0.0.0) Sphinx (1.6.3) sphinxcontrib-websupport (1.0.1) SQLAlchemy (1.0.8) terminaltables (3.1.0) tinycss2 (0.5) tlslite-ng (0.6.0) treelib (1.3.7) typing (3.6.1) ujson (1.35) unicorn (1.0.1) urllib3 (1.22) vboxapi (1.0) VMCloak (0.4.4a2) volatility (2.6) wakeonlan (0.2.2) WeasyPrint (0.39) webencodings (0.5.1) Werkzeug (0.12.2) wget (3.2) wheel (0.29.0) wkhtmltopdf (0.2) xattr (0.6.4) yara-python (3.6.3) zope.interface (4.1.1)
Also i added "-v" arg in sniffer.py :
pargs = [ tcpdump, "-U", "-q", "-s", "0", "-n", "-l", "-v", "-i", self.machine.interface, ]
So it will match the error check:
err_whitelist_start = (
"tcpdump: listening on ",
)I did it because before when i was starting manually tcpdump without -v, i was always getting that output:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vboxnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
But anyway tcpdump process keeps terminating in few secs after it is started by cuckoo.
YuryDo
commented
6 years ago An update to my situation, i ran dtruss, and got this:
PID/THRD SYSCALL(args) = return4330/0x37aa5: thread_selfid(0x0, 0x0, 0x0) = 228005 0 4330/0x37aa5: issetugid(0x0, 0x0, 0x0) = 1 0 4330/0x37aa5: csrctl(0x0, 0x7FFF5399860C, 0x4) = 0 0 4330/0x37aa5: csops(0x0, 0x0, 0x7FFF539986E0) = 0 0 4330/0x37aa5: shared_region_check_np(0x7FFF53995CF8, 0x0, 0x7FFF539986E0) = 0 0 4330/0x37aa5: getpid(0x7FFF53995CF8, 0x0, 0x7FFF539986E0) = 4330 0 4330/0x37aa5: proc_info(0x2, 0x10EA, 0x8) = 1272 0 4330/0x37aa5: stat64("/usr/lib/libssl.35.dylib\0", 0x7FFF53997978, 0x8) = 0 0 4330/0x37aa5: open("/usr/lib/libssl.35.dylib\0", 0x0, 0x0) = 4 0 4330/0x37aa5: pread(0x4, "\312\376\272\276\0", 0x1000, 0x0) = 4096 0 4330/0x37aa5: pread(0x4, "\317\372\355\376\a\0", 0x1000, 0x77000) = 4096 0 4330/0x37aa5: fcntl(0x4, 0x61, 0x7FFF5398F158) = 0 0 4330/0x37aa5: mmap(0x0, 0x670, 0x5, 0x1, 0x4, 0x77000) = 0x10C498000 0 4330/0x37aa5: munmap(0x10C498000, 0x670) = 0 0 4330/0x37aa5: mmap(0x10C499000, 0x54000, 0x5, 0x12, 0x4, 0x77000) = 0x10C499000 0 4330/0x37aa5: mmap(0x10C4ED000, 0x8000, 0x3, 0x12, 0x4, 0xCB000) = 0x10C4ED000 0 4330/0x37aa5: mmap(0x10C4F5000, 0x13320, 0x1, 0x12, 0x4, 0xD3000) = 0x10C4F5000 0 4330/0x37aa5: fcntl(0x4, 0x2C, 0x7FFF5398F368) = -1 Err#45 4330/0x37aa5: close(0x4) = 0 0 4330/0x37aa5: stat64("/usr/lib/libssl.35.dylib\0", 0x7FFF53997ED8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/libcrypto.35.dylib\0", 0x7FFF53997978, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/libpcap.A.dylib\0", 0x7FFF53997978, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/libSystem.B.dylib\0", 0x7FFF53997978, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libcache.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libcommonCrypto.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libcompiler_rt.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libcopyfile.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libcorecrypto.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libdispatch.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libdyld.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libkeymgr.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/liblaunch.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libmacho.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libquarantine.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libremovefile.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_asl.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_blocks.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_c.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_configuration.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_coreservices.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_coretls.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_dnssd.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_info.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_kernel.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_m.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_malloc.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_network.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_networkextension.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_notify.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_platform.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_pthread.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_sandbox.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_secinit.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_symptoms.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libsystem_trace.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libunwind.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/system/libxpc.dylib\0", 0x7FFF539973B8, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/libobjc.A.dylib\0", 0x7FFF53996678, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/libc++abi.dylib\0", 0x7FFF53996568, 0x7FFF5398F368) = 0 0 4330/0x37aa5: stat64("/usr/lib/libc++.1.dylib\0", 0x7FFF53996568, 0x7FFF5398F368) = 0 0 4330/0x37aa5: madvise(0x10C48F000, 0x2000, 0x5) = 0 0 4330/0x37aa5: open("/dev/dtracehelper\0", 0x2, 0x7FFF53998590) = 4 0 4330/0x37aa5: ioctl(0x4, 0x80086804, 0x7FFF53998518) = 0 0 4330/0x37aa5: close(0x4) = 0 0 4330/0x37aa5: thread_selfid(0x4, 0x80086804, 0x7FFF53998518) = 228005 0 4330/0x37aa5: bsdthread_register(0x7FFFD1242080, 0x7FFFD1242070, 0x2000) = 1073741919 0 4330/0x37aa5: ulock_wake(0x1, 0x7FFF53997C1C, 0x0) = -1 Err#2 4330/0x37aa5: issetugid(0x1, 0x7FFF53997C1C, 0x0) = 1 0 4330/0x37aa5: mprotect(0x10C50B000, 0x88, 0x1) = 0 0 4330/0x37aa5: mprotect(0x10C50D000, 0x1000, 0x0) = 0 0 4330/0x37aa5: mprotect(0x10C523000, 0x1000, 0x0) = 0 0 4330/0x37aa5: mprotect(0x10C524000, 0x1000, 0x0) = 0 0 4330/0x37aa5: mprotect(0x10C53A000, 0x1000, 0x0) = 0 0 4330/0x37aa5: mprotect(0x10C498000, 0x1000, 0x1) = 0 0 4330/0x37aa5: mprotect(0x10C50B000, 0x88, 0x3) = 0 0 4330/0x37aa5: mprotect(0x10C50B000, 0x88, 0x1) = 0 0 4330/0x37aa5: getpid(0x10C50B000, 0x88, 0x1) = 4330 0 4330/0x37aa5: stat64("/AppleInternal/XBS/.isChrooted\0", 0x7FFF53997AD8, 0x1) = -1 Err#2 4330/0x37aa5: stat64("/AppleInternal\0", 0x7FFF53997B70, 0x1) = -1 Err#2 4330/0x37aa5: csops(0x10EA, 0x7, 0x7FFF53997600) = 0 0 4330/0x37aa5: sysctl([CTL_KERN, 14, 1, 4330, 0, 0] (4), 0x7FFF53997758, 0x7FFF53997750, 0x0, 0x0) = 0 0 4330/0x37aa5: ulock_wake(0x1, 0x7FFF53997B80, 0x0) = -1 Err#2 4330/0x37aa5: csops(0x10EA, 0x7, 0x7FFF53996EE0) = 0 0 4330/0x37aa5: fstat64(0x1, 0x7FFF53998F38, 0x7FFF53996EE0) = 0 0 4330/0x37aa5: issetugid(0x1, 0x7FFF53998F38, 0x7FFF53996EE0) = 1 0 4330/0x37aa5: open_nocancel("/usr/share/zoneinfo/UTC\0", 0x0, 0x0) = 4 0 4330/0x37aa5: fstat64(0x4, 0x7FFF53996050, 0x0) = 0 0 4330/0x37aa5: read_nocancel(0x4, "TZif\0", 0x2A64) = 56 0 4330/0x37aa5: close_nocancel(0x4) = 0 0 4330/0x37aa5: shm_open(0x7FFFD1235DE7, 0x0, 0x0) = 4 0 4330/0x37aa5: mmap(0x0, 0x1000, 0x1, 0x1, 0x4, 0x0) = 0x10C53B000 0 4330/0x37aa5: close_nocancel(0x4) = 0 0 4330/0x37aa5: access("/etc/localtime\0", 0x4, 0x1) = 0 0 4330/0x37aa5: open_nocancel("/etc/localtime\0", 0x0, 0x0) = 4 0 4330/0x37aa5: fstat64(0x4, 0x7FFF53996050, 0x0) = 0 0 4330/0x37aa5: read_nocancel(0x4, "TZif\0", 0x2A64) = 575 0 4330/0x37aa5: close_nocancel(0x4) = 0 0 4330/0x37aa5: sysctl([CTL_KERN, 1, 0, 0, 0, 0] (2), 0x7FFF53998AB0, 0x7FFF53998A20, 0x0, 0x0) = 0 0 4330/0x37aa5: sysctl([CTL_KERN, 10, 0, 0, 0, 0] (2), 0x7FFF53998BB0, 0x7FFF53998A20, 0x0, 0x0) = 0 0 4330/0x37aa5: sysctl([CTL_KERN, 2, 0, 0, 0, 0] (2), 0x7FFF53998CB0, 0x7FFF53998A20, 0x0, 0x0) = 0 0 4330/0x37aa5: sysctl([CTL_KERN, 4, 0, 0, 0, 0] (2), 0x7FFF53998DB0, 0x7FFF53998A20, 0x0, 0x0) = 0 0 4330/0x37aa5: sysctl([CTL_HW, 1, 0, 0, 0, 0] (2), 0x7FFF53998EB0, 0x7FFF53998A20, 0x0, 0x0) = 0 0 4330/0x37aa5: open("/dev/bpf0\0", 0x2, 0x7FFF53998398) = -1 Err#16 4330/0x37aa5: open("/dev/bpf1\0", 0x2, 0x7FFF53998398) = -1 Err#16 4330/0x37aa5: open("/dev/bpf2\0", 0x2, 0x7FFF53998398) = 4 0 4330/0x37aa5: ioctl(0x4, 0x8020426C, 0x7FFF53998A90) = 0 0 4330/0x37aa5: ioctl(0x4, 0xC00C4279, 0x7FFF53998A80) = 0 0 4330/0x37aa5: ioctl(0x4, 0xC00C4279, 0x7FFF53998A80) = 0 0 4330/0x37aa5: close(0x4) = 0 0 4330/0x37aa5: open("/dev/bpf0\0", 0x2, 0x7FFF53998328) = -1 Err#16 4330/0x37aa5: open("/dev/bpf1\0", 0x2, 0x7FFF53998328) = -1 Err#16 4330/0x37aa5: open("/dev/bpf2\0", 0x2, 0x7FFF53998328) = 4 0 4330/0x37aa5: ioctl(0x4, 0x40044271, 0x7FFF53998A58) = 0 0 4330/0x37aa5: ioctl(0x4, 0xC004427F, 0x7FFA5B003F80) = 0 0 4330/0x37aa5: sysctl([CTL_KERN, 1, 0, 0, 0, 0] (2), 0x7FFF53998A60, 0x7FFF539989B0, 0x0, 0x0) = 0 0 4330/0x37aa5: sysctl([CTL_KERN, 10, 0, 0, 0, 0] (2), 0x7FFF53998B60, 0x7FFF539989B0, 0x0, 0x0) = 0 0 4330/0x37aa5: sysctl([CTL_KERN, 2, 0, 0, 0, 0] (2), 0x7FFF53998C60, 0x7FFF539989B0, 0x0, 0x0) = 0 0 4330/0x37aa5: sysctl([CTL_KERN, 4, 0, 0, 0, 0] (2), 0x7FFF53998D60, 0x7FFF539989B0, 0x0, 0x0) = 0 0 4330/0x37aa5: sysctl([CTL_HW, 1, 0, 0, 0, 0] (2), 0x7FFF53998E60, 0x7FFF539989B0, 0x0, 0x0) = 0 0 4330/0x37aa5: ioctl(0x4, 0x40044266, 0x7FFF53998A3C) = 0 0 4330/0x37aa5: ioctl(0x4, 0xC0044266, 0x7FFF53998A3C) = 0 0 4330/0x37aa5: ioctl(0x4, 0x8020426C, 0x7FFF53998F60) = 0 0 4330/0x37aa5: ioctl(0x4, 0x4004426A, 0x7FFF53998A3C) = 0 0 4330/0x37aa5: ioctl(0x4, 0xC00C4279, 0x7FFF53998A48) = 0 0 4330/0x37aa5: ioctl(0x4, 0xC00C4279, 0x7FFF53998A48) = 0 0 4330/0x37aa5: ioctl(0x4, 0x80044275, 0x7FFF53998A40) = 0 0 4330/0x37aa5: ioctl(0x4, 0x8010426D, 0x7FFF53998A10) = 0 0 4330/0x37aa5: ioctl(0x4, 0x20004269, 0x0) = 0 0 4330/0x37aa5: ioctl(0x4, 0x40044266, 0x7FFF53998A3C) = 0 0 4330/0x37aa5: ioctl(0x4, 0x80104267, 0x7FFF53998A20) = 0 0 4330/0x37aa5: getgid(0x4, 0x80104267, 0x7FFF53998A20) = 20 0 4330/0x37aa5: setgid(0x14, 0x80104267, 0x7FFF53998A20) = 0 0 4330/0x37aa5: getuid(0x14, 0x80104267, 0x7FFF53998A20) = 501 0 4330/0x37aa5: setuid(0x1F5, 0x80104267, 0x7FFF53998A20) = 0 0 4330/0x37aa5: sigprocmask(0x1, 0x0, 0x7FFF53998D30) = 0x0 0 4330/0x37aa5: sigaltstack(0x0, 0x7FFF53998D20, 0x7FFF53998D30) = 0 0 4330/0x37aa5: sigaction(0xD, 0x7FFF53998FE8, 0x7FFF53999020) = 0 0 4330/0x37aa5: sigaction(0xF, 0x7FFF53998FE8, 0x7FFF53999020) = 0 0 4330/0x37aa5: sigaction(0x2, 0x7FFF53998FE8, 0x7FFF53999020) = 0 0 4330/0x37aa5: sigaction(0x3, 0x7FFF53998FE8, 0x7FFF53999020) = 0 0 4330/0x37aa5: sigaction(0x6, 0x7FFF53998FE8, 0x7FFF53999020) = 0 0 4330/0x37aa5: sigaction(0x14, 0x7FFF53998FE8, 0x7FFF53999020) = 0 0 4330/0x37aa5: sigaction(0x1, 0x7FFF53998FE8, 0x7FFF53999020) = 0 0 4330/0x37aa5: getuid(0x1, 0x7FFF53998FE8, 0x7FFF53999020) = 501 0 4330/0x37aa5: geteuid(0x1, 0x7FFF53998FE8, 0x7FFF53999020) = 501 0 4330/0x37aa5: ioctl(0x4, 0x80104267, 0x7FFF539996D8) = 0 0 4330/0x37aa5: getrlimit(0x1008, 0x7FFF53998E98, 0x7FFF539996D8) = 0 0 4330/0x37aa5: open_nocancel("/Users/User/.cuckoo/storage/analyses/5/dump.pcap\0", 0x601, 0x1B6) = 5 0 4330/0x37aa5: fstat64(0x5, 0x7FFF53998E18, 0x1B6) = 0 0 4330/0x37aa5: write_nocancel(0x5, "\324\303\262\241\002\0", 0x18) = 24 0 4330/0x37aa5: sigaction(0x1D, 0x7FFF53998FE8, 0x7FFF53999020) = 0 0 4330/0x37aa5: sigaction(0xE, 0x7FFF53998FE8, 0x7FFF53999020) = 0 0 4330/0x37aa5: setitimer(0x0, 0x7FFF53999010, 0x7FFF53998FF0) = 0 0 4330/0x37aa5: write_nocancel(0x2, "tcpdump: \0", 0x9) = 9 0 4330/0x37aa5: write_nocancel(0x2, "listening on vboxnet0, link-type EN10MB (Ethernet), capture size 262144 bytes\n\0", 0x4E) = 78 0 4330/0x37aa5: read(0x4, "\0", 0x80000) = 0 0 4330/0x37aa5: read(0x4, "\0", 0x80000) = -1 Err#4 4330/0x37aa5: write_nocancel(0x2, "Got 0\r\0", 0x6) = 6 0 4330/0x37aa5: setitimer(0x0, 0x7FFF53998900, 0x7FFF539988E0) = 0 0 4330/0x37aa5: sigreturn(0x7FFF53998DC0, 0x1E, 0x7FFF539988E0) = 0 Err#-2 4330/0x37aa5: read(0x4, "\0", 0x80000) = 0 0 4330/0x37aa5: write_nocancel(0x2, "Got 0\r\0", 0x6) = 6 0 4330/0x37aa5: setitimer(0x0, 0x7FFF53998900, 0x7FFF539988E0) = 0 0 4330/0x37aa5: sigreturn(0x7FFF53998DC0, 0x1E, 0x7FFF539988E0) = 0 Err#-2 4330/0x37aa5: read(0x4, "\0", 0x80000) = 0 0 4330/0x37aa5: read(0x4, "\0", 0x80000) = -1 Err#4 4330/0x37aa5: write_nocancel(0x2, "Got 0\r\0", 0x6) = 6 0 4330/0x37aa5: setitimer(0x0, 0x7FFF53998900, 0x7FFF539988E0) = 0 0 4330/0x37aa5: sigreturn(0x7FFF53998DC0, 0x1E, 0x7FFF539988E0) = 0 Err#-2 4330/0x37aa5: read(0x4, "n\b\0", 0x80000) = 0 0 4330/0x37aa5: read(0x4, "\0", 0x80000) = -1 Err#4 4330/0x37aa5: write_nocancel(0x2, "Got 0\r\0", 0x6) = 6 0 4330/0x37aa5: setitimer(0x0, 0x7FFF53998900, 0x7FFF539988E0) = 0 0 4330/0x37aa5: sigreturn(0x7FFF53998DC0, 0x1E, 0x7FFF539988E0) = 0 Err#-2 4330/0x37aa5: read(0x4, "M'\210Y5\252\n\0", 0x80000) = 60 0
YuryDo
commented
6 years ago Finally i found a workaround. After exploring dtruss log, and digging the tcpdump manual/faqs... I found that i didn't reproduce the tcpdump command from sniffer.py with the "-w" arg to write into file. After adding it, i caught a "Segmentation fault: 11" So, i removed the "-U" arg and after that everything works smoothly. I'm not sure that it's a 100% good workaround, but better then nothing.
jbremer
commented
6 years ago Hm, interesting. Apparently tcpdump crashes if you provide the -U flag. Are you running an older version or something maybe? First time I'm seeing this issue.
YuryDo
commented
6 years ago As on my MacBook and few others that i checked:
tcpdump version tcpdump version 4.9.0 -- Apple version 79.60.1 libpcap version 1.8.1 -- Apple version 67.60.1 LibreSSL 2.2.7
OS X - 10.12.6 (with all latest updates)
This version of tcpdump is built-in, and if you try to install tcpdump with brew, it won't update/upgrade the native one.
doomedraven
commented
6 years ago But ‘brew link tcpdump’ should do that no? I can do typo on link command but there is a command for it
YuryDo
commented
6 years ago Linking worked fine. Really strange that i tried before, and it didn't do the deal. So, the final working advice will be to install and link tcpdump with brew. I just checked - everything works as it should. Thank you! p.s. i guess the issue can be closed
doomedraven
commented
6 years ago You can close it is your issue ;) and you are welcome :)
Hello! I'm running cuckoo 2.0.3 and 1.3-NG (Spender Sandbox). Also i'm testing 2.0.4a5 The host machine is a MacBook Pro with OS X Sierra 10.12.6. Everything works fine except the sniffer module. When i was configuring the host i've disabled System Integrity Protection with csrutil and then did chmod +s /usr/sbin/tcpdump. Forwarding is on, and pfctl allows the hostonly adapter (vboxnet0) access the internet. I can run tcpdump from my own user (not root). But when i'm running an analysis i always get the same error:
[cuckoo.core.plugins] ERROR: Unable to stop auxiliary module: Sniffer Traceback (most recent call last): File "/Library/Python/2.7/site-packages/cuckoo/core/plugins.py", line 162, in stop module.stop() File "/Library/Python/2.7/site-packages/cuckoo/auxiliary/sniffer.py", line 151, in stop (out, err, faq("permission-denied-for-tcpdump")) CuckooOperationalError: Error running tcpdump to sniff the network traffic during the analysis; stdout = '' and stderr = 'tcpdump: listening on vboxnet0, link-type EN10MB (Ethernet), capture size 262144 bytes\n'. Did you enable the extra capabilities to allow running tcpdump as non-root user and disable AppArmor properly (the latter only applies to Ubuntu-based distributions with AppArmor, see also https://cuckoo.sh/docs/faq/index.html#permission-denied-for-tcpdump)?
I see that cuckoo always starts the sniffer module without any problem, but it creates a dump.pcap and doesn't write into it (it remains 24 bytes). For example: [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 1081 (interface=vboxnet0, host=192.168.56.101) I monitored the process by its PID - it starts, but it doesn't work as long as the analysis process, it terminates fast. I've tried all the workarounds that my mind proposed and i could find in the web, but nothing works. I'll be very grateful if somebody can help me with this issue.
p.s. tcpdump version - 4.9.0 If i run it without any parameters - it captures the en1 packets If i try to terminate the job with ctrl+c i get: pcap_cleanup_pktap_interface: ioctl(SIOCIFDESTROY) fail - Operation not permitted Wireshark (2.4.0) work fine with that.