Quick start¶
What follows is a very fast introduction for tranqap. It covers:
- Configuration - add one remote machine as a target.
- Verify that the target is capable of collecting network traffic.
- Start packet capture.
- Run wireshark.
Configuration¶
tranqap looks for a file named config.json in the current working dir. A sample file can be generated by running:
$ tranqap init
Saved sample configuration to config.json
Here is how it looks like:
{
"targets": [
{
"Name": "Target name. Informational identification only.",
"Host": "Hostname/IP address of the target.",
"Port": 22,
"User": "SSH login.",
"Key": "Path to private key, used for authentication.",
"Destination": "Path to destination dir for the PCAP files.",
"File Pattern": "Filename pattern for each pcap file. Index and file extension will be added to this string.",
"File Rotation Count": 5,
"Use sudo": true
}
]
}
All fields either contain sensible default value or informative description. Here is an example of a working config file:
{
"targets" : [
{
"Name": "Local target 1",
"Host": "127.0.0.1",
"Port": 2222,
"User": "root",
"Key": "ssh-key",
"Destination": "PCAPs/local_target_1",
"File Pattern": "trace",
"File Rotation Count": 10,
"Use sudo": false
}
]
}
Verify that the target is capable of collecting network traffic¶
The binary should be executed in the directory, where config.json is
located. The application uses a very basic shell as a UI:
$ tranqap
tranqap>
This is the tranqap prompt. targets command checks if tcpdump can be run on the remote machine either with sudo or with a user capable to collect network traffic without root.
tranqap> targets
=== Running checks for target <Local target 1> ===
Check if tcpdump is installed: Yes
Check if sudo is installed: NO
Check if tcpdump can be run with sudo, without password: NO
Check if tcpdump has got cap_net_admin capabilities: NO
Check if tcpdump has got cap_net_raw+eip capabilities: NO
User is member of the binary's group: Yes
tranqap>
What this means:
- tcpdump is installed on the remote machine. This is the packet capturer that tranqap uses.
- sudo is not installed. This is fine, because the machine is accessed with root account.
- tcpdump can be run with sudo, without requiring for password. Also fine - there is no sudo on the machine.
- Last three lines are meaningful only if tranqap should run tcpdump with regular user. They are not relevant for the current case.
WARNING Collecting PCAPs as root is dangerous. This means that there is a private key for the machine sitting unprotected on the filesystem. Avoid this at all cost.
Start packet capture¶
Just run start:
tranqap> start
tranqap>
Nothing happens but you should see a PCAP file is created in the output directory, which is PCAPs/local_target_1:
$ ls PCAPs/local_target_1/
trace.pcap
Run wireshark¶
The traffic which is saved in the PCAP file can also be inspected in real time with wireshark:
tranqap> wireshark
tranqap>
Wireshark should be started locally and all the traffic will be shown there.