MacOS.Network.PacketCapture

This artifact leverages tcpdump to natively capture packets.

The Duration parameter is used to define how long (in seconds) the capture should be. Specific interfaces can be defined using the Interface parameter, otherwise the artifact defaults to an interface assignment of any.

A BPF (Berkeley Packet Filter) expression can also be supplied to filter the captured traffic as desired.

Read more about BPF expressions here: https://biot.com/capstats/bpf.html


name: MacOS.Network.PacketCapture
author: Wes Lambert, @therealwlambert
description: |
  This artifact leverages tcpdump to natively capture packets.

  The `Duration` parameter is used to define how long (in seconds) the capture should be.  Specific interfaces can be defined using the `Interface` parameter, otherwise the artifact defaults to an interface assignment of `any`.

  A `BPF` (Berkeley Packet Filter) expression can also be supplied to filter the captured traffic as desired.
  
  Read more about BPF expressions here: https://biot.com/capstats/bpf.html

required_permissions:
  - EXECVE

parameters:
  - name: Duration
    type: integer
    description: Duration (in seconds) of PCAP to be recorded.
    default: 10
  
  - name: Interface
    type: string
    default: any

  - name: BPF
    type: string
    default:
    
precondition:
  SELECT * FROM info() where OS = 'darwin'

sources:
    - query: |
            LET pcap <= tempfile(extension=".pcap")
            SELECT *, upload(file=pcap) AS PCAP
              FROM execve(argv=['bash', '-c', format(format='''(tcpdump -nni %v -w %v %v) & sleep %v; kill $!''', args=[Interface, pcap, BPF, Duration])], length=1000000)