README

- Description -

This application index Terrabytes of pcaps with the help of argus.
When your pcaps are indexed it's easy to use either carve_pcap.rb like:
$ carve_pcap.rb -f 'host 10.0.0.1 and port 53' 20120402 20:10:17.500144
or use the web frontend. This will give you a the queried sessions 
carved out and merged into a new pcap.

A perfect usecase for the web frontend is snort/suricata alerts.
If you have these in, for example Splunk, and then configure a 
"per event" link then you can go with one-click from the alert 
to the full pcap stream that triggered the alert.

- Install -

* Run bin/import_pcaps.rb and generate the default config file.
* create from template and put into dbdir:
  $ sqlite3 db/pcaps.db < db/_pcaps.db.dump
* Test bin/import_pcaps.rb and bin/generate_argus.rb for a single pcap.
* Create cron job for indexing automatically. (extras/import_wrap_X can be
  used)

Make sure you have these files in your $PATH:
  lsof
  capinfos, mergecap
  tcpdump
  argus, ra, racluster  (version 3.x of argus bundle)

On ubuntu:
  These packages works from the default repo: (ubuntu 12.04)
    $ sudo apt-get install ruby1.9.3 lsof wireshark-common tcpdump
  But you will need to fetch argus from http://qosient.com/argus (version 3 tested)

Ruby required gems:
  base: sequel, sqlite3 (ubuntu pkgs: ruby-sequel libsqlite3-ruby sqlite3)
  web: sinatra, haml, json (ubuntu pkgs: ruby-sinatra ruby-haml ruby-json)

Scripts:
  bin/import_pcaps.rb   - to import to db and optional move your pcaps to a archive dir.
  bin/generate_argus.rb - to generate argus files based on your pcaps.
  bin/carve_pcap.rb     - to carve out a specific session.
  extras/import_wrap_*  - import wrapper wich can be runned from cron.

Webui:
  Create a db:
  $ sqlite3 db/web.db < web/db/_
  Front this webui with something like apache, nginx or thin.
  Obs! no authentication is built into this. Use the reverse-proxy for that.