Capture data

PCAP

Capture DNS-data using the PCAP-format, e.g. using the tcpdump utility. The files can be compressed using one of the following compression algorithms: - gzip - xz

The PCAP-file extension must end with one of the following:

  • .pcap (no compression)
  • .pcap.gz (gzip compression)
  • .pcap.xz (xz compression)

Creating a PCAP-file

To create PCAP files containing network data the following example script can be used to capture data, each file will contain 5 minutes of data. Make sure that you do not create files that are too big, don’t create files bigger as 500MB. Larger files can cause the memory usage of ENTRADA to increase.

The example script captures DNS traffic for both TCP and (fragmented) UDP. The ip[6:2] & 0x1fff != 0 part checks if it is a fragmented UDP packet. The second packet for a fragmented request does not contain a header with port number. The PCAP decoder logic expects that PCAP files are compressed with gzip and have the following filename format <filename>.pcap.gz

Modify the HOST_V4 and HOST_V6 variables to contain the IP addresses of the name server. If no IPv6 address is available then remove all HOST_V6 references or use a dummy address. Change the HOSTNAME_PREFIX variable to match the hostname of the server.

#!/usr/bin/env bash

SCRIPT_DIR=$(dirname "$0")
source $SCRIPT_DIR/config.sh

#change the IP addresses to the correct servers addresses!
HOST_V4=xxx.xx.xxx.xxx
HOST_V6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
HOSTNAME_PREFIX=xxx
INTERFACE=eth1

use  & 0x1fff != 0 to also capture fragmented packets
tcpdump -i $INTERFACE -w ${DUMPDIR}/$HOSTNAME_PREFIX_%Y-%m-%d_%H:%M.pcap -G 300 '(( port 53 or ip[6:2] & 0x1fff != 0) or icmp or icmp6 ) and ( host $HOST_V4 or host $HOST_V6 )'