One of the most powerful ways to use CloudShark is to aggregate captures from multiple locations. While many network devices have packet capture natively (and some integrated with CloudShark upload), for other systems, it’s necessary to use custom scripts that utilize tshark (with the CloudShark plug-in for Wireshark installed) or tcpdump in tandem with CURL to use the CloudShark upload API. While all of these solutions are effective, they do require you to log into the remote machine (or have scripts to do so) in order to the initiate the captures.
Enter the open source pcapdaemon, pioneered by Dan Murphy of Biscayne DevOps. This tool utilizes redis and its pub/sub mechanism to allow the capture tool to listen for requests to start captures. When the capture is finished, it can be pushed up to CloudShark.
“The idea really came from my combined experiences working at AOL, TATA, Prolexic, and Defense.net,” said Dan. “I realized there was a real need to automate remote captures from any number of feeder sources. If you have a lot of processes (like Nagios, OSSEC, Snort, BRO, Splunk, etc.) all creating their own captures for debugging and forensics, and your capture points are spread across many sites. I thought it would be great if you had something to push all that data to CloudShark.”
Like with any publish/subscribe system, both clients connect to a central server. Each client can listen to a particular “channel”, and the server will push messages targeted to that channel down to those who are listening. When pcapdaemon receives its specialized message over the redis channel, it initiates a capture using the parameters set in the message. When it’s finished, it uses the CloudShark upload API call to post the finalized capture to CloudShark, including any tags that were added in the pcapdaemon message.
Distributed across many different traffic sources, this creates a powerful tool to track network issues, security events, or application failures. Great stuff!