Table of Contents
Before going into the configuration part, it is best to understand how pom-ng works.
1) Packets are read from an input
Packets can be read from multiple sources. In order to be able to read packets from various sources, pom-ng has a few input. The most common ones are the following :
- Input pcap_interface reads packets from a network interface on your system
- Input dvb_c reads MPEG-TS packets from a DVB-C card
- Input pcap_file reads packets from a pcap file
- Input pcap_dir reads packets from a multiple files in a single directory
You can configure multiple inputs and run them at the same time.
2) Packets are analyzed
At this step, pom-ng analyze the packets coming from the input. It finds out what protocol chain are inside the packets and decode the headers of each protocol that will be useful for later processing. It will also keep track of packets related to a single connection. This job is done by the protocol aka proto modules.
For higher layer protocol such as HTTP, events will be generated that contain information about a specific protocol event. For instance, the HTTP protocol has 2 events : http_query and http_response. The http_query event contains all the information about the query from the client. The http_response event contains all the information about the reply from the server.
3) Protocol events are processed
Most of the time, protocol events alone are not very useful. In the case of the http_query and http_request events, it is not easy to correlate a query with a request. This is why the http analyzer will listen for those two events and create a new event called http_request that will contain informations about a single HTTP transaction. It will contain both the info from the client and the server with additional informations that will be computed by correlating the two events.
4) Packets/protocol payloads are analyzed
Some protocols cary files or payload. The payload analyzers will check the content of the payload and provide useful information about it for later filtering. For example, the jpeg analyzer will provide the width and height of the image.
5) Outputs receive events, payloads and raw packets
The output will then receive the events that were generated or the payloads. Depending on what the output does, it will act accordingly. For example the log_txt will receive the events that are configured in the selected template and will log them in a log file in the format specified by the logging template.
Other output such as pcap_file will save the packets into a pcap file or the output file will save payloads in a file.
In order to configure pom-ng, you must tell it how to read the packets and what output you want.
Let's use a simple example that log all the HTTP requests being sniffed from your interface into a log file that looks like the apache log file.
1) Configure the input
You must first choose which input you want. The one we want is pcap_interface to capture packets from an interface.
We will add our new input and name it 'input1'.
pom> input add pcap_interface input1 input 'input1' added
As we can see, out input has been added and will be listening to the interface eth0 by default. However it is not yet running so it is not capturing any packet.
pom> input show input1: (running: no, type: pcap_interface) interface : 'eth0' (string) promisc : 'no' (bool)
2) Configure the output
We will now tel pom-ng to save all the HTTP requests that it finds out into a log file. For this, we will use the output log_txt and we will name it apache_logs :
pom> output add log_txt apache_logs output 'apache_logs' added
A quick look at the output configuration and we can see that no template is defined and that the output is not running :
pom> output show apache_logs: (running: no, type: log_txt) prefix : './' (string) template : '' (string)
So we will use the template 'http_apache'. This template saves the files in the http.log file. The filename will be prepended by the prefix. Since we want to save it in /tmp/http.log, we will also change the prefix to '/tmp/' :
pom> output parameter set apache_logs template http_apache Parameter of output 'template' changed from to http_apache pom> output parameter set apache_logs prefix /tmp/ Parameter of output 'prefix' changed from ./ to /tmp/
3) Start everything
Now that both the input and the output are configured, we only have to start them :
pom> output start apache_logs Parameter of output 'running' changed from no to yes pom> input start input1 Parameter of input 'running' changed from no to yes
You should now find a file /tmp/http.log containing all the http requests that you will perform on your computer.
Now is also a good time to save your configuration if you are satisfied with it :
pom> config save http_logging Registry configuration saved as "http_logging"