tsharkVM, this project builds virtual machine which can be used for analytics of tshark -T ek (ndjson) output. The virtual appliance is built using vagrant, which builds Debian 10 with pre-installed and pre-configured ELK stack.
After the VM is up, the process is simple:
tshark -T ek output
/ ndjson) are sent over TCP/17570
to the VMhttp://127.0.0.1:15601/app/kibana#/dashboards
Instructions To Build VM From Ubuntu Desktop
Clone source code
git clone https://github.com/H21lab/tsharkVM.git
Build tshark VM
sudo apt update
sudo apt install tshark virtualbox vagrant
bash ./build.sh
Upload pcaps to VM
#copy your pcaps into ./Trace
#run following script
bash upload_pcaps.sh
#or use tshark directly towards 127.0.0.1 17570/tcp
tshark -r trace.pcapng -x -T ek > /dev/tcp/localhost/17570
Open Kibana with browser
firefox http://127.0.0.1:15601/app/kibana#/dashboards
Open Main Dashboard and increase time window to e.g. last 100 years to see there the sample pcaps.
SSH to VM
cd ./VM
vagrant ssh
Delete VM
cd ./VM
vagrant destroy default
Start VM
cd ./VM
vagrant up
Stop VM
cd ./VM
vagrant halt
SSH into VM and check if ELK is running correctly
cd ./VM
vagrant ssh
sudo systemctl status kibana.service
sudo systemctl status elasticsearch.service
sudo systemctl status logstash.service
Elasticsearch Mapping Template
In the project is included simple Elasticseacrh mapping template generated for the frame,eth,ip,udp,tcp,dhcp
protocols. To handle additional protocols efficiently it can be required to update the mapping template in the following way:
Alternative can be using the dynamic mapping. See template ./Kibana/template_tshark_mapping_dynamic.json
. And consider setting the numeric_detection parameter true/false depending on the mapping requirements and pcaps used. Upload the template into Elasticsearch in similar way as described above.
tshark -G elastic-mapping –elastic-mapping-filter mapping could be outdated, it is not following properly the Elasticsearch changes and the output can be duplicated. The manual configuration and post-processing of the mapping template is required.
Program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY.
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…