This artifact leverages tcpdump to natively capture packets.
The Duration parameter is used to define how long (in seconds) the capture should be. Specific interfaces can be defined using the Interface parameter, otherwise the artifact defaults to an interface assignment of any.
A BPF (Berkeley Packet Filter) expression can also be supplied to filter the captured traffic as desired.
Read more about BPF expressions here: https://biot.com/capstats/bpf.html
name: Linux.Network.PacketCapture
author: Wes Lambert, @therealwlambert
description: |
This artifact leverages tcpdump to natively capture packets.
The `Duration` parameter is used to define how long (in seconds) the capture should be. Specific interfaces can be defined using the `Interface` parameter, otherwise the artifact defaults to an interface assignment of `any`.
A `BPF` (Berkeley Packet Filter) expression can also be supplied to filter the captured traffic as desired.
Read more about BPF expressions here: https://biot.com/capstats/bpf.html
required_permissions:
- EXECVE
parameters:
- name: Duration
type: integer
description: Duration (in seconds) of PCAP to be recorded.
default: 10
- name: Interface
type: string
default: any
- name: BPF
type: string
default:
precondition:
SELECT * FROM info() where OS = 'linux'
sources:
- query: |
LET pcap <= tempfile(extension=".pcap")
SELECT *, upload(file=pcap) AS PCAP
FROM execve(argv=['bash', '-c', format(format='''(tcpdump -nni %v -w %v %v) & sleep %v; kill $!''', args=[Interface, pcap, BPF, Duration])], length=1000000)