sdaubert
commented
3 years ago @Ohnenundra You have to be root, or set CAP_NET_RAW and CAP_NET_ADMIN capabilities to the process using pcap library.
Closed Ohnenundra closed 3 years ago
sdaubert
commented
3 years ago @Ohnenundra You have to be root, or set CAP_NET_RAW and CAP_NET_ADMIN capabilities to the process using pcap library.
Ohnenundra
commented
3 years ago I used sudo and tried setting the capabilites and got the same error.
sdaubert
commented
3 years ago @Ohnenundra please copy your code (the minimum to get error) and your line command to execute it.
Ohnenundra
commented
3 years ago I was testing the code from the medium post.
require "packetgen"
class IDS
def initialize(interface: PacketGen.default_iface, &block)
@rules = {}
instance_eval &block
PacketGen.capture(iface: interface) do |packet|
@rules.each do |header, blocks|
next unless packet.is? header
blocks.each do |block|
block.call(packet)
end
end
end
end
def rule(header, &block)
if @rules[header]
@rules[header] << block
else
@rules[header] = [block]
end
end
end
IDS.new do
rule 'DNS' do |packet|
next unless packet.ip.dst == "8.8.8.8"
puts "Talking to Google's DNS server using DNS"
end
endI used the command ruby ids.rb and tried sudo ruby ids.rb
I also tried using setcap to changed the capabilites by using the command : sudo setcap cap_net_raw,cap_net_admin+eip ids.rb
sdaubert
commented
3 years ago I cannot reproduce your problem. Using sudo is fine here.
The error code in your first message (-8) indicates "no permission to open the device". Did you try it as root?
Ohnenundra
commented
3 years ago Tried as root. Now have an error code of -9
sdaubert
commented
3 years ago @Ohnenundra From /usr/include/pcap/pcap.h:
#define PCAP_ERROR_IFACE_NOT_UP -9 /* interface isn't up */The interface you use is not up. So capture is not possible.
Tried to run code and got error
Traceback (most recent call last): 3: from /home/portkey/.gem/ruby/2.7.0/gems/packetgen-3.1.8/lib/packetgen/capture.rb:72:in
block in start' 2: from /home/portkey/.gem/ruby/2.7.0/gems/packetgen-3.1.8/lib/packetgen/pcaprub_wrapper.rb:55:incapture' 1: from /home/portkey/.gem/ruby/2.7.0/gems/packetgen-3.1.8/lib/packetgen/pcaprub_wrapper.rb:38:inopen_iface' /home/portkey/.gem/ruby/2.7.0/gems/packetgen-3.1.8/lib/packetgen/pcaprub_wrapper.rb:38:inactivate': unable to activate interface: -8, enp3s0f0 (PCAPRUB::PCAPRUBError)