Packet capture

From k-space wiki
Jump to: navigation, search

Implement packet capture using Moloch

Supervisior: Lauri/Toomas

Background research

Packet capture: Intercept a data packet that is crossing or moving over a specific computer network.

Packet analysis can help with the following

1. Security – Determine point of intrusion

2. Identification of Data Leakage

3. Troubleshooting

4. Identifying Data/Packet Loss

5. Forensics – Detect virus, worm, malware...

Primary ways to capture traffic

1. Port mirroring: Send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port

2. Hubbing out: Place target device and your analyzer on the same network segment by plugging them both directly into a hub.

3. Using a tap: A network tap is a hardware device that you can place between two points on your cabling system to capture the packets between those two points.

Port Mirroring requirements

1. Have access to the command line or web management interface of the switch on which the target computer is located

2. Switch must support port mirroring and have an empty port into which you can plug your sniffer.

3. How you set up port mirroring depends on the manufacturer of your switch

4. Especially at high throughput levels, port mirroring can provide inconsistent results and cause data loss that can be hard to track down.


Cisco Switched Port Analyzer (SPAN)

The SPAN feature, which is sometimes called port mirroring or port monitoring, selects network traffic for analysis by a network analyzer

Catalyst 3750 / 3750E /3750X Series supports SPAN

Connect Linux to Cisco serial console (Use Putty to connect if in Windows)

1. Install cu: $ sudo apt-get install cu

2. Use USB to serial converter and Cisco console cable to connect our laptop to switch and install driver

3. Identify the port of the serial cable: $ sudo dmesg | grep -i tty

4. Connect to a switch with cu command: $ sudo cu -l /dev/device -s baud-rate-speed

5. Cisco prompt for configuration

Catalyst Switched Port Analyzer (SPAN) Configuration

1. Speed up switch port initialization process:

Switch> enable

Switch# config terminal

Switch(config)# int range fastEthernet 0/1 - 24

Switch(config-if-range)# switchport mode access

Switch(config-if-range)# spanning-tree portfast

2. Creating a SPAN Session

Switch> enable

Switch# config terminal

Switch(config)# monitor session 1 source interface fastEthernet 0/25

Switch(config)# monitor session 1 destination interface fastEthernet 0/26

Switch(config)# exit

Switch# copy run start


Moloch is an open source, large scale, full packet capturing, indexing, and database system powered by Elasticsearch

Usage: 1. Real-time capture of network traffic for forensic and investigative purposes 2. Static PCAP repository


1. Capture - A threaded C application that monitors network traffic, writes PCAP formatted files to disk, parses the captured packets and sends meta data (SPI data) to elasticsearch.

2. Viewer - A node.js application that runs per capture machine and handles the web interface and transfer of PCAP files.

3. Elasticsearch - The search database technology powering Moloch.


1. All components (Capture, Database and Viewer) can exist and operate on the same host -> Capture will want lots of storage space for PCAP that has been ingested

2. Can scale easily across multiple hosts for Capture and Database components

Important factors

1. CPU Power: Number of cores, clock speed, performance per clock

2. File System: High sequential write performance – XFS

3. Disk Speed: 1GB Line ~ 123MB/s-133MB/s, 7.2K RPM Disk ~ 170MB/s, SSD ~ 500MB/s, RAID – RAMDISK

4. Packet Size: Smaller packet greater impact

5. Capturing Software: Libpcap, Netmap, AF_Packet, PF_Ring, DPDK

6. NIC: Intel - More updated drivers, better support for capturing software

7. Promiscuous Mode: Setting listening port to promiscuous mode

Moloch Estimators: Use these estimators as a starting point for deciding on the number of machines needed for capture and ES nodes.

What we have

Hardware specialization: HP ProLiant DL380 G5, Intel(R) Xeon(R) CPU E5450 @ 3.00GHz, 64GB RAM, Intel I350 Gigabit Network Connection, 1 TB Disk Space, 4 Disks Raid 0 #7200 RPM

Operating system: Ubuntu 16.04 LTS server

Ubuntu server configuration

Setting listening port to promiscuous mode:

$ sudo ip link set [port] up

$ sudo ip link set [port] promisc on

Moloch Installation

Dependencies: npm, python-software-properties, oracle-java8-installer, curl, apt-transport-https, nodejs

(optional) elasticsearch, only if you want to run capture and database on the same machine. It is not recommended for highly utilized GigE networks

1. Set basic configuration parameters: $ sudo /data/moloch/bin/Configure

2. Set and start elasticsearch database: $ sudo /data/moloch/db/ http://[IP of elasticsearch:port] init

3. Set username/password of Moloch: $ /data/moloch/bin/ admin "Admin user" [password] –admin

4. Start capture service: $ systemctl start molochcapture.service

5. Start viewer service: $ systemctl start molochviewer.service

6. Go to check if installation is successful or not at default port 8005 !

Enabling TLS for Viewer

1. Creating keypair and Certificate

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /data/moloch/etc/moloch.key -out /data/moloch/etc/moloch.cert

2. Comment out the below line in the configuration file(/data/moloch/etc/config.ini) to enable TLS



Moloch data deletion

1. Moloch pcap files deletion: /data/moloch/etc/config.ini: freeSpaceG = 5%

2. Elasticsearch indices deletion:

Build-in shell script: /data/moloch/db/

Scheduling using /etc/crontab

Moloch packet filtering

Edit bpf under /data/moloch/etc/config.ini by using bpf filtering syntax

The Berkeley Packet Filter (BPF) provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received.

Sample filter: 'ip[9] = 0x11' udp


Problems and solutions

1. Old version elasticsearch: If you choose to install elasticseach during Moloch installation, the elasticsearch version accompanied is too old, and it binds elasticsearch service under /data/moloch/elasticsearch

Solution: $ sudo systemcl status elasticserach service

$ rm -rf /data/moloch/elasticsearch

2. ReadOnly protection by moloch: Moloch captures tons of packets, and there is a freespaceG setting in /data/moloch/etc/config.ini to delete pcap files when free space is lower then this. Also, elasticsearch will switch the state into read only when in low storage.


Use the script below to switch read_only_allow_delete to false

curl -X PUT "localhost:9200/_settings" -H 'Content-Type:application/json' -d '{ "index": { "blocks": { "read_only_allow_delete": "false" } } }'

Further exploration


$ sudo apt-get update

$ sudo apt-get install dsniff

$ nano ./

For loop through all captured .pcap files by using dsniff -p: for file in find /data/moloch/raw/; do dsniff -p file done

Suggestions for solving problem

1. How to solve the problems (1) Check logs (2) Official documentation (3) Community forum (4) Google (5) Ask Toomas and Lauri

2. Get your hands dirty and you will learn a lot

What’s next ?

WISE (With Intelligence See Everything) plugin ● Moloch SPI data enhancer ● Supported data sources ● Multilayer caching


1. 5 Linux / Unix Commands For Connecting To The Serial Console

2. Connect your Ubuntu Linux machine to cisco serial console

3. Catalyst 3750-E and 3560-E Switch Software Configuration Guide, 12.2(37)SE

4. Install Elasticsearch with Debian Package

5. Moloch GitHub page

6. Clean up indices in elasticsearch

7. ReadOnly error solution

8. Moloch configuration file

9. Data never gets deleted