User Tools

Site Tools


pom-ng:getting_started

Getting started

Before going into the configuration part, it is best to understand how pom-ng works.

Processing steps

1) Packets are read from an input

Packets can be read from multiple sources. In order to be able to read packets from various sources, pom-ng has a few input. The most common ones are the following :

  • Input pcap_interface reads packets from a network interface on your system
  • Input dvb_c reads MPEG-TS packets from a DVB-C card
  • Input pcap_file reads packets from a pcap file
  • Input pcap_dir reads packets from a multiple files in a single directory

You can configure multiple inputs and run them at the same time.

2) Packets are analyzed

At this step, pom-ng analyze the packets coming from the input. It finds out what protocol chain are inside the packets and decode the headers of each protocol that will be useful for later processing. It will also keep track of packets related to a single connection. This job is done by the protocol aka proto modules.
For higher layer protocol such as HTTP, events will be generated that contain information about a specific protocol event. For instance, the HTTP protocol has 2 events : http_query and http_response. The http_query event contains all the information about the query from the client. The http_response event contains all the information about the reply from the server.

3) Protocol events are processed

Most of the time, protocol events alone are not very useful. In the case of the http_query and http_request events, it is not easy to correlate a query with a request. This is why the http analyzer will listen for those two events and create a new event called http_request that will contain informations about a single HTTP transaction. It will contain both the info from the client and the server with additional informations that will be computed by correlating the two events.

4) Packets/protocol payloads are analyzed

Some protocols cary files or payload. The payload analyzers will check the content of the payload and provide useful information about it for later filtering. For example, the jpeg analyzer will provide the width and height of the image.

5) Outputs receive events, payloads and raw packets

The output will then receive the events that were generated or the payloads. Depending on what the output does, it will act accordingly. For example the log_txt will receive the events that are configured in the selected template and will log them in a log file in the format specified by the logging template.
Other output such as pcap_file will save the packets into a pcap file or the output file will save payloads in a file.

Configuration

In order to configure pom-ng, you must tell it how to read the packets and what output you want.
Let's use a simple example that log all the HTTP requests being sniffed from your interface into a log file that looks like the apache log file.

1) Configure the input

You must first choose which input you want. The one we want is pcap_interface to capture packets from an interface.
We will add our new input and name it 'input1'.

pom> input add pcap_interface input1
input 'input1' added

As we can see, out input has been added and will be listening to the interface eth0 by default. However it is not yet running so it is not capturing any packet.

pom> input show 
input1: (running: no, type: pcap_interface)
        interface : 'eth0' (string)
        promisc : 'no' (bool)

2) Configure the output

We will now tel pom-ng to save all the HTTP requests that it finds out into a log file. For this, we will use the output log_txt and we will name it apache_logs :

pom> output add log_txt apache_logs
output 'apache_logs' added

A quick look at the output configuration and we can see that no template is defined and that the output is not running :

pom> output show 
apache_logs: (running: no, type: log_txt)
        prefix : './' (string)
        template : '' (string)

So we will use the template 'http_apache'. This template saves the files in the http.log file. The filename will be prepended by the prefix. Since we want to save it in /tmp/http.log, we will also change the prefix to '/tmp/' :

pom> output parameter set apache_logs template http_apache
Parameter of output 'template' changed from  to http_apache
pom> output parameter set apache_logs prefix /tmp/
Parameter of output 'prefix' changed from ./ to /tmp/

3) Start everything

Now that both the input and the output are configured, we only have to start them :

pom> output start apache_logs 
Parameter of output 'running' changed from no to yes
pom> input start input1 
Parameter of input 'running' changed from no to yes

You should now find a file /tmp/http.log containing all the http requests that you will perform on your computer.
Now is also a good time to save your configuration if you are satisfied with it :

pom> config save http_logging
Registry configuration saved as "http_logging"
pom-ng/getting_started.txt · Last modified: 2013/01/27 20:39 by gmsoft