Closed mostwanted002 closed 1 year ago
Type in which tcpdump
in your linux terminal. And see if the path matches the configuration path of custom/conf/auxilary.conf
.
The path in the configuration is correct.
Output of which tcpdump
:
/usr/sbin/tcpdump
Output of cat custom/conf/auxiliary.conf | grep tcpdump
:
# Enable or disable the use of an external sniffer (tcpdump) [yes/no].
# enable remote tcpdump support
# Specify the path to your local installation of tcpdump. Make sure this
tcpdump = /usr/sbin/tcpdump
# Specify the network interface name on which tcpdump should monitor the
# Specify a Berkeley packet filter to pass to tcpdump.
did you enable generation of pcaps in routing.conf?
Yes. Everything was working until I performed a git pull
2 days ago.
Just to be sure, I pulled latest commits before opening this bug.
Never mind. I found the error. Somehow, my enable_pcap = yes
was set to enable_pcap = no
.
Apologies. Closing the issue with this comment.
Hey! Umm... That flag is for non-live network. I'm using inetsim
routing, and it doesn't require that flag to be set. Regardless, I set it to yes
and submitted the same sample. I still got PCAP does not exist
in the logs.
to generate pcaps it requires it to be enabled. did you restart cape.service after change the config?
Yes. I did restart all the cape related services.
when you run analysis, in another termina as root run: ps aux|grep tcpdump
, if there is defunc
it means that you don't have proper permissions, run those
https://github.com/kevoreilly/CAPEv2/blob/master/installer/cape2.sh#L922-L927
In fact, it was a permission error.
Re-running the commands from the script fixed the issue. Thank you. Closing it now.
yaw, i will try to see how to detect it automatically, as this is is one of the most frequent problems
Thank you ❤️
About accounts on capesandbox.com
This is open source and you are getting free support so be friendly!
Prerequisites
Please answer the following questions for yourself before submitting an issue.
custom/conf/
Expected Behavior
The
[modules.auxiliary.sniffer]
should launch atcpdump
process with configured network interface, and a TCP dump (PCAP) file should be saved atstorage/analyses/<TASK_ID>/dump.pcap
, which is then used bycape-processor
to extract network IOCs.Current Behavior
The
[modules.auxiliary.sniffer]
launches atcpdump
process, with output file path asstorage/analyses/<TASK_ID>/dump.pcap
, butcape-processor
says "PCAP file does not exits" and it is true. PCAP file doesn't exist in the expected location.Failure Information (for bugs)
Steps to Reproduce
Please provide detailed steps for reproducing the issue.
Context
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).
Failure Logs
journalctl
log fromcape.service
journalctl
log fromcape-processor.service