Retrieve all SMTP and DNS packets

This sample uses an expression in Trisul Filter Format to retrieve all DNS (port 53) and SMTP (port 25) packets into a PCAP file. This also prints the SHA-1 hash of the packets as returned by the Trisul probe backend.

Code




# Trisul Remote Protocol TRP Demo script
#
#
# Save all DNS and SMTP traffic in past one hour
#
require 'rubygems' if RUBY_VERSION < '1.9'
require 'trisulrp'

include TrisulRP::Protocol
include TrisulRP::Guids

def usage()
 "\nUsage   : ruby #{$0} <zmq_domain_endpoint> <context_name> <probe_id>" +
 "\nExample : ruby #{$0} ipc:///usr/local/var/lib/trisul-hub/domain0/run/ctl_local_req context0 probe0" 
end
raise usage if  ARGV.length !=3



# open a TRP connection to the trisul server
#
@conn     = ARGV.shift
@context  = ARGV.shift
@probe_id = ARGV.shift

# construct an expression in  Trisul Filter Format (see doc)
# here we say that Counter Group apps contain p-0019 and p-0035. These
# two are called keys. Use can also use mk_trisul_key(..) to convert
# names to keys
#

expr = "#{TrisulRP::Guids::CG_APP}=p-0019,p-0035"
time_req = TrisulRP::Protocol.mk_request(TRP::Message::Command::PCAP_SLICES_REQUEST,
                                         :context_name=>@context,
                                         :get_total_window=>true,
                                         :destination_node=>@probe_id)
tm_arr = []
TrisulRP::Protocol.get_response_zmq(@conn,time_req) do |resp|
  tm_arr << Time.at(resp.total_window.from.tv_sec)
  tm_arr << Time.at( resp.total_window.to.tv_sec)
end

#tm_arr[0] = tm_arr[1] - 3600


# send pcap request 
def send_pcap_request(command,opts)
  req =  TrisulRP::Protocol.mk_request(command,opts)
  resp = TrisulRP::Protocol.get_response_zmq(@conn,req) 
  trp_resp_command_id = resp.instance_variable_get("@trp_resp_command_id")
  if TRP::Message::Command::ASYNC_RESPONSE == trp_resp_command_id 
    rsync_opts = {
      :token=>resp.token,
      :destination_node=>@probe_id
    }
   sleep(5)#don't send the async request immediately,wait some time to get pcap ready
   send_pcap_request(TRP::Message::Command::ASYNC_REQUEST,rsync_opts)
  else
   download_to(resp)
  end
end
# Pcap was generated and store in probe
# Get pcap file chunk by chunk and store in local file
def download_to(resp,opts={})
  p "Number of bytes = #{resp.num_bytes}\n"
  p "Hash            = #{resp.sha1}\n"


  opts[:uri] =  resp.save_file
  opts[:run_async] = false
  opts[:position] = 0
  opts[:delete_on_eof] = true
  opts[:destination_node]= @probe_id
  opts[:context_name]=@context
  done=false
  file = "#{SecureRandom.urlsafe_base64(6)}.pcap"
  p "Writing to the file #{file}"
  outfile = File.open(file,"wb")
  while not done
   downloadreq = TrisulRP::Protocol.mk_request(TRP::Message::Command::FILE_REQUEST,opts)
   resp = TrisulRP::Protocol.get_response_zmq(@conn,downloadreq)
   outfile.write( resp.content)
   opts[:position] = resp.position
   done= resp.eof
  end
  outfile.close
end

# create the request
# We can retrieve raw packets by FOUR methods (see docs)
# 1. By a filter expr (this example)
# 2,3,4. For a given flow, alert, or resource
opts = {
  :context_name => @context,
  :time_interval  => mk_time_interval(tm_arr),
  :filter_expression  => expr,
  :save_file_prefix =>"PCAP",
  :run_async=>true,
  :destination_node => @probe_id
}
send_pcap_request(TRP::Message::Command::PCAP_REQUEST,opts)


Usage


  ruby pcap_simple.rb ipc:///usr/local/var/lib/trisul-hub/domain0/run/ctl_local_req default probe0

Sample output


Number of bytes = 100001742\n"
"Hash            = 06fbd64226415cc1d6b228fc54dc8cbda89a6531\n"
"Writing to the file GbWzGFXn.pcap"

The packets are saved in a file called GbWzGFXn.pcap.pcap (see the code)


[vivek@localhost t3]$ tcpdump -nnn -r GbWzGFXn.pcap 
reading from file GbWzGFXn.pcap, link-type EN10MB (Ethernet)
19:14:39.344589 IP 192.168.1.103.11385 > 8.8.8.8.53: 40013+ A? www.googleapis.com. (36)
19:14:39.395994 IP 8.8.8.8.53 > 192.168.1.103.11385: 40013 4/0/0 CNAME googleapis.l.google.com., A 216.58.197.42, A 216.58.197.74, A 216.58.220.42 (118)
19:14:50.966257 IP 192.168.1.103.13876 > 8.8.8.8.53: 8867+ A? apis.google.com. (33)
19:14:50.975130 IP 192.168.1.103.17156 > 8.8.8.8.53: 27086+ A? ssl.gstatic.com. (33)
19:14:50.975744 IP 192.168.1.103.17357 > 8.8.8.8.53: 22725+ A? www.gstatic.com. (33)
19:14:51.035837 IP 8.8.8.8.53 > 192.168.1.103.13876: 8867 2/0/0 CNAME plus.l.google.com., A 216.58.196.110 (70)
19:14:51.044706 IP 8.8.8.8.53 > 192.168.1.103.17156: 27086 1/0/0 A 216.58.196.99 (49)
19:14:51.046428 IP 8.8.8.8.53 > 192.168.1.103.17357: 22725 1/0/0 A 216.58.196.99 (49)
19:15:16.293179 IP 192.168.1.103.6451 > 8.8.8.8.53: 11093+ A? trisul.org. (28)
19:15:16.414788 IP 8.8.8.8.53 > 192.168.1.103.6451: 11093 1/0/0 A 104.131.215.222 (44)
..