Metasploit mailing list archives

pcaprub module

From: egypt at metasploit.com (egypt at metasploit.com)
Date: Tue, 7 Apr 2009 00:11:05 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeffs,

The pcap_log plugin might be what you're looking for.  It lets you
save traffic to a pcap file using BPF syntax for filtering.  The
filter option must be enclosed in quotes if it contains a space.
Here's a simple example:

msf > load pcap_log
[-] No interface given
usage: load pcap_log iface=<iface> [path=<logpath>]
[prefix=<logprefix>] [filter="<filter>"]
[-] Failed to load plugin from
/home/egypt/svn/framework3/trunk/plugins/pcap_log: No interface
specified
msf > load pcap_log iface=eth1 filter="host 192.168.1.1"
[*] Logs in /tmp/msf3-session_2009-04-07_00-14-03.pcap
[*] Starting capture thread on interface eth1
[*] Successfully loaded plugin: pcap_log

Hope this helped,
egypt


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Use GnuPG with Firefox : http://getfiregpg.org (Version: 0.7.5)

iD8DBQFJ2vCQABHabZqEWJ0RAmJsAJ9dk/vz9uWf1VkttyAXf7O94kMwrgCdE4NS
ugcGk3Ki6XVF2lAr/rPa97A=
=bpNw
-----END PGP SIGNATURE-----

On Mon, Apr 6, 2009 at 9:27 PM, jeffs <jeffs at speakeasy.net> wrote:

Got it.

I see now that the filter uses Berkeley packet filtering syntax.? Good.? Is
the screen output saved anywhere for later use or is it just existing for
the session on the screen.? Can it be dumped do you think?

Thanks.

hdm wrote:

On Mon, 2009-04-06 at 23:15 -0400, jeffs wrote:


It seems to sniff http by default and I'm having difficulty killing
it.  Keeps saying type exit to exit but there is no prompt and I have
to either ctr-c kill it with many attempts or kill -9 it.

What is the syntax for filtering?  Anything I put in there just seems
to default to sniffing http traffic...


The kill bug is something we should look into; there are a few other
cases where that happens and its really annoying. The test/capture
module just sniffs http, thats it, its meant be an example you can
customize and not necessarily a useful module on its own.

-HD

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework




_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

improving meterpreter for a better exe ?‏ Amin Powers (Apr 05)
- keylogger.rb and task list metasploit error jeffs (Apr 05)
- pcaprub module jeffs (Apr 06)
  - pcaprub module hdm (Apr 06)
    - pcaprub module jeffs (Apr 06)
    - pcaprub module hdm (Apr 06)
    - pcaprub module jeffs (Apr 06)
    - pcaprub module hdm (Apr 06)
    - pcaprub module jeffs (Apr 06)
    - pcaprub module hdm (Apr 06)
    - pcaprub module egypt at metasploit.com (Apr 06)
- Ideas for meterpreter jeffs (Apr 07)