Rather than performing out-of-band bulk packet captures, configure the Manager to automatically capture relevant network traffic from each clone, in order to detect when a compromise occurs. This data should be in PCAP format and should be eventually provided to the Drone web service, referenced by the fingerprint generated.
Net::Packet::Dump looks promising, but currently has a hardcoded snaplen of 1514. I'm trying to contact the author to make this snaplen configurable (65535).
Here's a possible (untested) patch to Dump.pm (Net::Packet::Dump v3.25)
{{{
Rather than performing out-of-band bulk packet captures, configure the Manager to automatically capture relevant network traffic from each clone, in order to detect when a compromise occurs. This data should be in PCAP format and should be eventually provided to the Drone web service, referenced by the fingerprint generated.
Net::Packet::Dump looks promising, but currently has a hardcoded snaplen of 1514. I'm trying to contact the author to make this snaplen configurable (65535).
Here's a possible (untested) patch to Dump.pm (Net::Packet::Dump v3.25) {{{
!patch
--- Dump.pm 2006-11-23 17:52:16.000000000 -0500 +++ Dump.pm-new.pm 2008-03-24 16:57:11.137005061 -0400 @@ -35,6 +35,7 @@ noLayerWipe mode keepTimestamp
noStore => 1, keepTimestamp => 1, unlinkOnClean => 0, @@ -757,6 +760,10 @@
If you want to capture in promiscuous mode, set it to 1. Default to 0.
+=item B
+
+If you want to capture a different snaplen, set it a number. Default to 1514.
+
=item B
This attribute tells which datalink type is used for .pcap files. @@ -829,6 +836,8 @@
promisc: 0
+snaplen: 1514 + timeoutOnNext: 3
isRunning: 0 }}}