You may have wanted to do real time capture with Wireshark in VIRL simulation lab like as GNS3 experiense.
GNS3 supports integrated easily Wireshark Live Capture feature.
GNS3 installer will be installed Wireshark, Npcap installed at a time.
In VIRL case, there is packet capture feature. And VM Maestro says can live packet capture.
I found many offline capture documents, but there is few documentation for live capture.
Finally, I found live capture methodologies with Wireshark. I noted this topic detail.
Thanks a lot great described script!!!!
I think VIRL consists OpenStack, and may use internally tcpdump for packet capture, and socat expose to external port.
Expose VIRL tcpdump traffic via socat, and transport with ncat simple TCP connection, and pipe to wireshark STDIN(Standard Input). Then, Wireshark real time GUI is come up.
virl@virl:~$ ps aux | grep tcpdump root 3301 0.0 0.0 20980 3224 ? S 00:04 0:00 /bin/bash /var/local/virl/logs/4438199f-ceda-4acd-a642-f3a7bea4ec57.cmd 4438199f-ceda-4acd-a642-f3a7bea4ec57 socat -U TCP6-LISTEN:'10001,fork,max-children=3' SYSTEM:'timeout 86400 tcpdump -U -i tap6774d374-40 -w - -W 1 -c 1000000 -G 86400 -- | dd bs=1 count=10MB' root 3302 0.0 0.0 24368 1680 ? S 00:04 0:00 socat -U TCP6-LISTEN:10001,fork,max-children=3 SYSTEM:timeout 86400 tcpdump -U -i tap6774d374-40 -w - -W 1 -c 1000000 -G 86400 -- | dd bs=1 count=10MB virl 3490 0.0 0.0 14224 1028 pts/1 S+ 00:05 0:00 grep --color=auto tcpdump
following technics applicable for UNIX environments Linux, Mac, and so on.
We install Nmap, but we want to ncat binary actually.
If you install Wireshark 3.x already Npcap may already installed, so you do not need to install Npcap (check off) during Nmap installation process.
Launch VM Maestro and, launch simulation and select capture interface you want.
Click link, right click interface, then navigate
Live capture on TCP port in General Settings → Capture mode and click OK.
All another fields are optional.
To Identify capture session exposed TCP port, select
Open Packet Capture view, then Packet Captures view opend.
Find desired capture session, check
Live Port column value.
Launch real time Wireshark session by double clicking script described below, and enter Live Port value.
Original script available here. Thank you again great script!
Following script configured VIRL PE IP statically for me. So, I launch this script and only need to input VIRL exposed port.
If you customize install Nmap, Wireshark, change
@echo off REM This batch file is primarily the work of other users in our community. I have just adapted a simple GUI REM to make the script more user freindly. REM Thank you to user Flex from our Support community for creating the initial batch file REM Thank you to firstname.lastname@example.org for your continued input and fun bits. REM REM Make sure that you have installed zenmap (https://nmap.org/zenmap/) on your system. REM REM Adapted by: email@example.com REM Last Modified: Sep 5, 2017 REM TITLE VIRL Live PCap MODE con:cols=80 lines=12 COLOR 1F set NETCAT_PATH=%PROGRAMFILES(x86)%\Nmap\ncat.exe set WIRESHARK_PATH=%PROGRAMFILES%\Wireshark\Wireshark.exe echo. set VIRL_HOST=10.0.4.198 set /P PCAP_PORT="Live Port : " echo. echo Reading live pCap from port %PCAP_PORT%. echo Close this window to stop capture! echo. "%NETCAT_PATH%" %VIRL_HOST% %PCAP_PORT% | "%WIRESHARK_PATH%" -k -i -
You can allocate any shortcut, register your favorite launcher program.
This remote captured packet transport and stdin Wireshark capture method applicable any real trouble shooting cases, i.e. identify accessing thread.
Following example using PuTTY, Wireshark, tcpdump. Capture filter excludes SSH traffic because noisy and amplifing SSH traffic because capctured traffic also transported over SSH.
plink -ssh firstname.lastname@example.org "sudo tcpdump -w - not port 22" | Wireshark.exe -k -i -