Capturing network data

ENTRADA can handle DNS/IP/TCP/UDP/ICMP network traffic data, it is possible to add support for other network protocols by adding additional network decoder(s) and database table(s). The capture process is however not a part of ENTRADA. To create pcap files containing network data the following example script can be used.

Use this script to capture network data into files where each contains 5 minutes of data. The current script captures DNS traffic for both TCP and (fragmented) UDP. The ip[6:2] & 0x1fff != 0 part checks if it is an fragmented UDP packet. The second packet for a fragmented request does not contain a header with portnumber. The PCAP decoder logic expects that PCAP files are compressed with gzip and have the following filename format <filename>.pcap.gz

Modify the HOST_V4 and HOST_V6 variables so they contain the IP addresses of the server receiving the network traffic. If no IPv6 address is available then remove all HOST_V6 references or use a dummy address. Change the HOSTNAME_PREFIX variable to match the hostname of the server.

#!/usr/bin/env bash

SCRIPT_DIR=$(dirname "$0")
source $SCRIPT_DIR/

#change the IP addresses to the correct servers addresses!

use  & 0x1fff != 0 to also capture fragmented packets
tcpdump -i $INTERFACE -w ${DUMPDIR}/$HOSTNAME_PREFIX_%Y-%m-%d_%H:%M.pcap -G 300 '(( port 53 or ip[6:2] & 0x1fff != 0) or icmp or icmp6 ) and ( host $HOST_V4 or host $HOST_V6 )'

The contains shared variables (the pcap cleanup script also uses these variables). Modify the DUMPDIR to match the directory where tcpdump must write its PCAP files. The DAYS_TO_KEEP variable must contain the number of days that PCAP files must be kept on disk before they are deleted by the script.


The script removes PCAP files older than x days (configured by script)

#!/usr/bin/env bash

SCRIPT_DIR=$(dirname "$0")
source $SCRIPT_DIR/

find $DUMPDIR -ctime $DAYS_TO_KEEP -exec rm {} \;