Just a quick tip on how to display MAC addresses in the TCPdump utility.
Simply use the “-e” switch.
Simply use the “-e” switch.
- Tcpdump ip and not net localnet To print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host. Tcpdump 'tcptcpflags & (tcp-syn tcp-fin)!= 0 and not src and dst net localnet' To print all IPv4 HTTP packets to and from port 80, i.e. Print only packets that contain data, not, for example.
- Nov 23, 2015 If you don’t have tcpdump installed on your solaris server, you can use the “snoop” system command to capture network traffic. Here is the command line option to capture 1000 packets of network traffic from IP 192.168.10.10 on a solaris server using inteface e1000g1 and write the output to /tmp/capture.pcap.
tcpdump -i INTERFACENAME -e
WinDump is the Windows version of tcpdump, the command line network analyzer for UNIX. WinDump is fully compatible with tcpdump and can be used to watch, diagnose and save to disk network traffic.
Without the -e switch:
[CheckPoint]# tcpdump -i bond2.100 -n
12:28:42.257902 IP 10.20.20.31.49155 > 10.254.25.116.49929: . ack 1831 win 513
12:28:42.258620 IP 10.20.20.31.49155 > 10.254.25.116.49929: P 1:286(285) ack 1831 win 513
12:28:42.257902 IP 10.20.20.31.49155 > 10.254.25.116.49929: . ack 1831 win 513
12:28:42.258620 IP 10.20.20.31.49155 > 10.254.25.116.49929: P 1:286(285) ack 1831 win 513
With the -e switch:
[CheckPoint]# tcpdump -i bond2.100 -en
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond2.100, link-type EN10MB (Ethernet), capture size 96 bytes
12:28:02.676263 00:00:85:83:c1:fc > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.254.25.48 tell 10.254.25.222
12:28:02.789472 c4:34:6b:53:b9:f4 > 8c:dc:d4:aa:0e:bd, ethertype IPv4 (0x0800), length 208: 10.254.25.128.49905 > 10.20.204.https: P 2852867481:2852867635(154) ack 1634338568 win 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond2.100, link-type EN10MB (Ethernet), capture size 96 bytes
12:28:02.676263 00:00:85:83:c1:fc > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.254.25.48 tell 10.254.25.222
12:28:02.789472 c4:34:6b:53:b9:f4 > 8c:dc:d4:aa:0e:bd, ethertype IPv4 (0x0800), length 208: 10.254.25.128.49905 > 10.20.204.https: P 2852867481:2852867635(154) ack 1634338568 win 25
Before proceeding to installing and configuring Cuckoo, you’ll need to installsome required software packages and libraries.
Installing Python libraries (on Ubuntu/Debian-based distributions)¶
The Cuckoo host components is completely written in Python, therefore it isrequired to have an appropriate version of Python installed. At this point weonly fully support Python 2.7. Older version of Python and Python 3versions are not supported by us (although Python 3 support is on our TODOlist with a low priority).
The following software packages from the apt repositories are required to getCuckoo to install and run properly:
In order to use the Django-based Web Interface, MongoDB is required:
In order to use PostgreSQL as database (our recommendation), PostgreSQL willhave to be installed as well:
Pydeep is an optional plugin that can be installed manually. A Link is provided for convenience:* pydeep install - note: the
libfuzzy-dev
package is required forpydeep but at the time of writing, was not listed in the officialdocumentation.
If you want to use KVM as machinery module you will have to install KVM:
If you want to use XenServer you’ll have to install the XenAPI Python package:
If you want to use the mitm auxiliary module (to intercept SSL/TLS generatedtraffic), you need to install mitmproxy. Please refer to its website forinstallation instructions. Please note that the latest version of
mitmproxy
requires Python 3.6 or higher and therefore it’s required toinstall it within a separate virtualenv
to isolate it and its requirementsfrom Cuckoo’s Python 2.7 environment. After installing mitmproxy in a separatevirtualenv, include its binary path in the Cuckoo configuration, e.g.,/tmp/mitmproxy3/bin/mitmdump
if the virtualenv is /tmp/mitmproxy3
.Installing Python libraries (on Mac OS X)¶
This is mostly the same as the installation on Ubuntu/Debian, except thatwe’ll be using the
brew
package manager. Install all the requireddependencies as follows (this list is WIP):In addition to that you’ll also want to expose the openssl header files in thestandard GCC/Clang include directory, so that
yara-python
may compilesuccessfully. This can be done as follows:![How To Install Tcpdump For Mac How To Install Tcpdump For Mac](/uploads/1/2/8/3/128370096/941913419.png)
Installing Python libraries (on Windows 7)¶
To be documented.
Virtualization Software¶
Cuckoo Sandbox supports most Virtualization Software solutions. As you willsee throughout the documentation, Cuckoo has been setup to remain as modularas possible and in case integration with a piece of software is missing thiscould be easily added.
![How to do a tcpdump How to do a tcpdump](/uploads/1/2/8/3/128370096/979054764.png)
For the sake of this guide we will assume that you have VirtualBox installed(which is the default), but this does not affect the execution and generalconfiguration of the sandbox.
You are completely responsible for the choice, configuration, and execution ofyour virtualization software. Please read our extensive documentation and FAQbefore reaching out to us with questions on how to set Cuckoo up.
Assuming you decide to go for VirtualBox, you can get the proper package foryour distribution at the official download page. Please find following thecommands to install the latest version of VirtualBox on your Ubuntu LTSmachine. Note that Cuckoo supports VirtualBox 4.3, 5.0, 5.1, and 5.2:
For more information on VirtualBox, please refer to theofficial documentation.
Installing tcpdump¶
In order to dump the network activity performed by the malware duringexecution, you’ll need a network sniffer properly configured to capturethe traffic and dump it to a file.
By default Cuckoo adopts tcpdump, the prominent open source solution.
Install it on Ubuntu:
Note that the
AppArmor
profile disabling (the aa-disable
command) isonly required when using the default CWD
directory as AppArmor wouldotherwise prevent the creation of the actual PCAP files (see alsoPermission denied for tcpdump).For Linux platforms with AppArmor disabled (e.g., Debian) the followingcommand will suffice to install tcpdump:
Tcpdump requires root privileges, but since you don’t want Cuckoo to run asroot you’ll have to set specific Linux capabilities to the binary:
You can verify the results of the last command with:
If you don’t have setcap installed you can get it with:
Or otherwise (not recommended) do:
Please keep in mind that even the setcap method is not perfectly safe (dueto potential security vulnerabilities) if the system has other users which arepotentially untrusted. We recommend to run Cuckoo on a dedicated system or atrusted environment where the privileged tcpdump execution is containedotherwise.
Installing Volatility¶
Volatility is an optional tool to do forensic analysis on memory dumps. Incombination with Cuckoo, it can automatically provide additional visibilityinto deep modifications in the operating system as well as detect the presenceof rootkit technology that escaped the monitoring domain of Cuckoo’s analyzer.
In order to function properly, Cuckoo requires at least version 2.3 ofVolatility, but recommends the latest version, Volatility 2.5. You candownload it from their official repository.
See the volatility documentation for detailed instructions on how to install it.
Installing M2Crypto¶
Currently the
M2Crypto
library is only supported when SWIG has beeninstalled. On Ubuntu/Debian-like systems this may be done as follows:If
SWIG
is present on the system one may install M2Crypto
as follows:Installing guacd¶
guacd
is an optional service that provides the translation layer for RDP,VNC, and SSH for the remote control functionality in the Cuckoo web interface.Without it, remote control won’t work. Versions 0.9.9 and up will work, but werecommend installing the latest version. On an Ubuntu 17.04 machine thefollowing command will install version
0.9.9-2
:If you only want RDP support you can skip the installation of the
libguac-client-vnc0
and libguac-client-ssh0
packages.How To Install Tcpdump For Mac Windows 10
If you are using an older distribution or you just want to use the latestversion (our recommendation), the following will build the latest version(
0.9.14
) from source:When installing from source, make sure you don’t have another version of anyof the
libguac-
libraries installed from your package manager or you mightexperience issues due to incompatibilities which can crash guacd.Tcpdump Mac Filter
Note that the VirtualBox Extension Pack must also be installed to takeadvantage of the Cuckoo Control functionality exposed by Guacamole.