tcpdump not generating PCAP files for analysis

[mostwanted002]

About accounts on capesandbox.com

• Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

This is open source and you are getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• [ x ] I am running the latest version
• [ x ] I did read the README!
• [ x ] I checked the documentation and found no answer
• [ x ] I checked to make sure that this issue has not already been filed
• [ x ] I'm reporting the issue to the correct repository (for multi-repository projects)
• [ x ] I have read and checked all configs (with all optional parts)
• [ x ] I'm aware that configs now are in custom/conf/

Expected Behavior

The [modules.auxiliary.sniffer] should launch a tcpdump process with configured network interface, and a TCP dump (PCAP) file should be saved at storage/analyses/<TASK_ID>/dump.pcap, which is then used by cape-processor to extract network IOCs.

Current Behavior

The [modules.auxiliary.sniffer] launches a tcpdump process, with output file path as storage/analyses/<TASK_ID>/dump.pcap, but cape-processor says "PCAP file does not exits" and it is true. PCAP file doesn't exist in the expected location.

Failure Information (for bugs)

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

1. Update to latest git commit of CAPEv2
2. Restore the configuration file.
3. Start an analysis

Context

Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).

Question	Answer
Git commit	commit 3dfe70c65b51bc012eece0081ebc8b48fa4ac71e
OS version	Ubuntu 22.04.2 LTS

Failure Logs

journalctl log from cape.service

Apr 20 06:32:41 mostwanted002-ThreatIntel-DB python3[50166]: 2023-04-20 06:32:41,396 [lib.cuckoo.core.scheduler] INFO: Task #17528: Starting analysis of FILE '/tmp/cuckoo-tmp/upload_mvpju8_c/DNSBench.exe'
Apr 20 06:32:41 mostwanted002-ThreatIntel-DB python3[50166]: 2023-04-20 06:32:41,412 [lib.cuckoo.core.scheduler] INFO: Task #17528: acquired machine cape_guest (label=cape_guest, arch=x64, platform=windows)
Apr 20 06:32:49 mostwanted002-ThreatIntel-DB python3[50166]: 2023-04-20 06:32:49,314 [lib.cuckoo.core.scheduler] INFO: Enabled route 'inetsim'.
Apr 20 06:32:49 mostwanted002-ThreatIntel-DB python3[50166]: 2023-04-20 06:32:49,317 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 53677 (interface=virbr1, host=172.24.69.69, dump path=/opt/CAPEv2/storage/analyses/17528/dump.pcap)
Apr 20 06:32:49 mostwanted002-ThreatIntel-DB python3[50166]: 2023-04-20 06:32:49,332 [lib.cuckoo.core.guest] INFO: Task #17528: Starting analysis on guest (id=cape_guest, ip=172.24.69.69)
Apr 20 06:32:49 mostwanted002-ThreatIntel-DB python3[50166]: 2023-04-20 06:32:49,356 [lib.cuckoo.core.guest] INFO: Task #17528: Guest is running CAPE Agent 0.11 (id=cape_guest, ip=172.24.69.69)
Apr 20 06:32:51 mostwanted002-ThreatIntel-DB python3[50166]: 2023-04-20 06:32:51,880 [lib.cuckoo.core.guest] INFO: Task #17528: Uploading support files to guest (id=cape_guest, ip=172.24.69.69)
Apr 20 06:32:51 mostwanted002-ThreatIntel-DB python3[50166]: 2023-04-20 06:32:51,880 [lib.cuckoo.core.guest] INFO: Task #17528: Uploading script files to guest (id=cape_guest, ip=172.24.69.69)
Apr 20 06:36:51 mostwanted002-ThreatIntel-DB python3[50166]: 2023-04-20 06:36:51,494 [lib.cuckoo.core.guest] INFO: Task #17528: Analysis completed successfully (id=cape_guest, ip=172.24.69.69)
Apr 20 06:36:52 mostwanted002-ThreatIntel-DB python3[50166]: 2023-04-20 06:36:52,798 [lib.cuckoo.core.scheduler] INFO: Disabled route 'inetsim'
Apr 20 06:36:53 mostwanted002-ThreatIntel-DB python3[50166]: 2023-04-20 06:36:53,242 [lib.cuckoo.core.scheduler] INFO: Task #17528: analysis procedure completed

journalctl log from cape-processor.service

Apr 20 06:27:21 mostwanted002-ThreatIntel-DB python3[50165]: 2023-04-20 06:27:21,636 [root] INFO: Processing analysis data
Apr 20 06:36:57 mostwanted002-ThreatIntel-DB python3[50165]: 2023-04-20 06:36:57,501 [root] INFO: Processing analysis data for Task #17528
Apr 20 06:36:57 mostwanted002-ThreatIntel-DB python3[50165]: OPTIONAL! Missed dependency: pip3 install https://github.com/CAPESandbox/peepdf/archive/20eda78d7d77fc5b3b652ffc2d8a5b0af796e3dd.zip#egg=peepdf==0.4.2
Apr 20 06:36:57 mostwanted002-ThreatIntel-DB python3[50165]: OPTIONAL! Missed dependency: pip3 install -U git+https://github.com/DissectMalware/batch_deobfuscator
Apr 20 06:36:57 mostwanted002-ThreatIntel-DB python3[50165]: OPTIONAL! Missed dependency: pip3 install -U git+https://github.com/CAPESandbox/httpreplay
Apr 20 06:37:01 mostwanted002-ThreatIntel-DB python3[56307]: 2023-04-20 06:37:01,456 [Task 17528] [modules.processing.network] WARNING: The PCAP file does not exist at path "/opt/CAPEv2/storage/analyses/17528/dump.pcap"
Apr 20 06:37:01 mostwanted002-ThreatIntel-DB python3[56307]: 2023-04-20 06:37:01,456 [Task 17528] [modules.processing.network] WARNING: The PCAP file does not exist at path "/opt/CAPEv2/storage/analyses/17528/dump.pcap"
Apr 20 06:37:01 mostwanted002-ThreatIntel-DB python3[56307]: /opt/CAPEv2/utils/../lib/cuckoo/common/abstracts.py:991: FutureWarning: Possible nested set at position 5
Apr 20 06:37:01 mostwanted002-ThreatIntel-DB python3[56307]:   exp = re.compile(pattern, re.IGNORECASE)
Apr 20 06:37:02 mostwanted002-ThreatIntel-DB python3[50165]: 2023-04-20 06:37:02,037 [root] INFO: Reports generation completed

[RoemIko]

Type in which tcpdump in your linux terminal. And see if the path matches the configuration path of custom/conf/auxilary.conf.

[mostwanted002]

The path in the configuration is correct.

Output of which tcpdump :

/usr/sbin/tcpdump

Output of cat custom/conf/auxiliary.conf | grep tcpdump:

# Enable or disable the use of an external sniffer (tcpdump) [yes/no].
# enable remote tcpdump support
# Specify the path to your local installation of tcpdump. Make sure this
tcpdump = /usr/sbin/tcpdump
# Specify the network interface name on which tcpdump should monitor the
# Specify a Berkeley packet filter to pass to tcpdump.

[doomedraven]

did you enable generation of pcaps in routing.conf?

[mostwanted002]

Yes. Everything was working until I performed a git pull 2 days ago. Just to be sure, I pulled latest commits before opening this bug.

[mostwanted002]

Never mind. I found the error. Somehow, my enable_pcap = yes was set to enable_pcap = no.

Apologies. Closing the issue with this comment.

[mostwanted002]

Hey! Umm... That flag is for non-live network. I'm using inetsim routing, and it doesn't require that flag to be set. Regardless, I set it to yes and submitted the same sample. I still got PCAP does not exist in the logs.

[doomedraven]

to generate pcaps it requires it to be enabled. did you restart cape.service after change the config?

[mostwanted002]

Yes. I did restart all the cape related services.

[doomedraven]

when you run analysis, in another termina as root run: ps aux|grep tcpdump, if there is defunc it means that you don't have proper permissions, run those

https://github.com/kevoreilly/CAPEv2/blob/master/installer/cape2.sh#L922-L927

[mostwanted002]

In fact, it was a permission error.

Re-running the commands from the script fixed the issue. Thank you. Closing it now.

[doomedraven]

yaw, i will try to see how to detect it automatically, as this is is one of the most frequent problems

[doomedraven]

check implemented https://github.com/kevoreilly/CAPEv2/commit/6b024f2583947ccf16f716883e7072900b73affe

[kevoreilly]

Thank you ❤️

[mostwanted002]

Just a small typo at https://github.com/kevoreilly/CAPEv2/commit/6b024f2583947ccf16f716883e7072900b73affe#diff-135674f4191a6723a6ab937ce790475b731dfe7a12ee14700831cb9715e76b41R545

"won't"