Stenographer 数据包捕获解决方案,快速的把所有数据包转移到硬盘中,可以简单快速的访问包子集。
Stenographer 缓冲数据包到硬盘,用于入侵检测和事件响应,提供高性能的 NIC-to-disk 数据包写入;提供快速读取数据包的方法。
Stenographer 主要用来:
把数据包快速写入硬盘
存储尽可能多的历史记录
读取分析需要的,硬盘上的非常小部分的数据包
查询语言
host 8.8.8.8 # Single IP address (hostnames not allowed) net 1.0.0.0/8 # Network with CIDR net 1.0.0.0 mask 255.255.255.0 # Network with mask port 80 # Port number (UDP or TCP) ip proto 6 # IP protocol number 6 icmp # equivalent to 'ip proto 1' tcp # equivalent to 'ip proto 6' udp # equivalent to 'ip proto 17' # Stenographer-specific time additions: before 2012-11-03T11:05:00 # Packets before a specific time (UTC) after 2012-11-03T11:05:00-0700 # Packets after a specific time (with TZ) before 45m ago # Packets before a relative time before 3h ago # Packets after a relative time
Stenoread CLI
# Request all packets from IP 1.2.3.4 port 6543, then do extra filtering by # TCP flag, which typical stenographer does not support. $ stenoread 'host 1.2.3.4 and port 6543' 'tcp[tcpflags] & tcp-push != 0' # Request packets on port 8765, disabling IP resolution (-n) and showing # link-level headers (-e) when printing them out. $ stenoread 'port 8765' -n -e # Request packets for any IPs in the range 1.1.1.0-1.1.1.255, writing them # out to a local PCAP file so they can be opened in Wireshark. $ stenoread 'net 1.1.1.0/24' -w /tmp/output_for_wireshark.pcap
