I’ve made some changes to my simple to install and use PCAP spool web frontend Dumpy including:
- A rewrite in Go, mostly for entertainment purposes, but the really easy to use concurrency, and single binary installation make Go a good choice for small applications like this.
- Multiple spool directory support.
- A decoder for translating a Suricata JSON style event to a pcap filter (in additions to the existing “fast” style event decoding).
Check it out over here https://github.com/jasonish/dumpy.
Sometimes the best way to try out a new framework or language is to apply it to a domain you already know very well, even if it does happen to reinvent the wheel. Tornado and Twitter Bootstrap are two such frameworks I’ve been meaning to play with for a while now. The result is Dumpy, a web front-end to pcap spool files as created by tcpdump, daemonlogger, or netsniff-ng with a very simple configuration and user interface:
Requirements are minimal, Python 2.6 (so it will run on CentOS 6 with little hassle), Tornado and py-bcrypt which are both trivially installed with pip. It provides its own http server with SSL support, and does not require a database.
Usage is also simple. Simply enter a pcap filter, or paste in a Snort or Suricata event in “fast” format, choose start and end times (or simply offsets) and hit download.
If interested, start a pcap spool (ie:
sudo tcpdump -i eth0 -C 1000 -W10 -G 3600 -w /tmp/eth0.log.%Y%m%d.) then check out Dumpy over here https://github.com/jasonish/dumpy.