Shell commands¶
targets¶
targets
This command has got two main purposes:
- To list all targets in the configuration file.
- To check if PCAP files can be collected there.
Here is a sample output from the command. It is similar to the one in Quick start section, but here more details will be provided about each line:
tranqap> targets
=== Running checks for target <Local target 1> ===
Check if tcpdump is installed: Yes
Check if sudo is installed: NO
Check if tcpdump can be run with sudo, without password: NO
Check if tcpdump has got cap_net_admin capabilities: NO
Check if tcpdump has got cap_net_raw+eip capabilities: NO
User is member of the binary's group: Yes
Check if tcpdump is installed: Yes/NO.
tranqap uses tcpdump to collect traffic. This check verifies if tcpdump command is available on the target.
Check if sudo is installed: Yes/NO
Usually only privileged users can run tcpdump. One way to achieve this is with sudo. This check verifies if there is sudo installed on target.
Check if tcpdump can be run with sudo, without password: Yes/NO
tranqap can’t provide a password for sudo. For this reason if tranqap should be started via sudo, it should be configured to execute tcpdump command without asking for a password. This line checks if sudo tcpdump requires a password.
Check if tcpdump has got cap_net_admin capabilities: Yes/NO
Check if tcpdump has got cap_net_raw+eip capabilities: Yes/NO
User is member of the binary’s group: Yes/NO
These three lines are connected. The target might be configured to allow an unprivileged user to collect PCAPs with tcpdump. This is possible when the binary has got cap_net_admin and cap_net_raw+eip capabilities enabled. Additionally the user, executing tcpdump, should either be owner of the binary or be member of the owner group. As the owner of tcpdump is usually root, the second condition is checked.
start¶
start
Starts packet capturing on target(s). Files are saved to the directory specified with Destination parameter in the configuration.
The files are named according to the value specified in File Pattern parameter.
On each start, PCAP files for each target are rotated. How many files to be kept is specified with File Rotation Count parameter.
The file from the current capture is always named FILE_PATTERN.pcap. On the next start it is rotated to FILE_PATTERN.1.pcap.
Here is an example :
{
"Destination": "PCAPs/local_target_1",
"File Pattern": "trace",
"File Rotation Count": 5,
}
With this configuration the PCAP files will be saved in a location, relative to the current working directory of the binary - PCAPs/local_target_1. The files there will have got the following names:
- trace.pcap
- trace.1.pcap
- trace.2.pcap
- trace.3.pcap
- trace.4.pcap
- trace.5.pcap
On the next start, trace.5.pcap will be deleted, trace.4.pcap will be renamed to trace.5.pcap and so on.
wireshark¶
wireshark [target]
When called without arguments, starts Wireshark for all running captures. Alternatively Wireshark can be started for selected targets.
E.g.
tranqap> wireshark MyServer
Other commands¶
The shell supports also a few helper commands:
- clear - Clears the screen
- exit - Exit the program. Ctrl+D does the same.
- help - Lists supported commands.