User Tools

Site Tools


pom-ng:getting_started

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
pom-ng:getting_started [2013/01/26 12:08] – KQvPZnoeFTAigs 188.143.232.12pom-ng:getting_started [2020/05/26 21:59] (current) – external edit 127.0.0.1
Line 1: Line 1:
-There is a crticail shortage of informative articles like this.+====== Getting started ====== 
 + 
 +Before going into the configuration part, it is best to understand how pom-ng works. 
 + 
 +===== Processing steps ===== 
 + 
 +==== 1) Packets are read from an input ==== 
 +Packets can be read from multiple sources. In order to be able to read packets from various sources, pom-ng has few input. The most common ones are the following : 
 +  * Input [[pom-ng:input:pcap_interface|pcap_interface]] reads packets from a network interface on your system 
 +  * Input [[pom-ng:input:dvb_c|dvb_c]] reads MPEG-TS packets from a DVB-C card 
 +  * Input [[pom-ng:input:pcap_file|pcap_file]] reads packets from a pcap file 
 +  * Input [[pom-ng:input:pcap_dir|pcap_dir]] reads packets from a multiple files in a single directory 
 + 
 + 
 +You can configure multiple inputs and run them at the same time. 
 + 
 +==== 2) Packets are analyzed ==== 
 + 
 +At this step, pom-ng analyze the packets coming from the input. It finds out what protocol chain are inside the packets and decode the headers of each protocol that will be useful for later processing. It will also keep track of packets related to a single connection. This job is done by the protocol aka proto modules.\\ 
 +For higher layer protocol such as [[pom-ng:proto:http|HTTP]], events will be generated that contain information about a specific protocol event. For instance, the HTTP protocol has 2 events : http_query and http_response. The http_query event contains all the information about the query from the client. The http_response event contains all the information about the reply from the server. 
 + 
 +==== 3) Protocol events are processed ==== 
 + 
 +Most of the time, protocol events alone are not very useful. In the case of the http_query and http_request events, it is not easy to correlate a query with a request. This is why the http analyzer will listen for those two events and create a new event called http_request that will contain informations about a single HTTP transaction. It will contain both the info from the client and the server with additional informations that will be computed by correlating the two events. 
 + 
 +==== 4) Packets/protocol payloads are analyzed ==== 
 + 
 +Some protocols cary files or payload. The payload analyzers will check the content of the payload and provide useful information about it for later filtering. For example, the [[pom-ng:analyzer:jpeg|jpeg]] analyzer will provide the width and height of the image. 
 + 
 +==== 5) Outputs receive events, payloads and raw packets ==== 
 + 
 +The output will then receive the events that were generated or the payloads. Depending on what the output does, it will act accordingly. For example the [[pom-ng:output:log_txt]] will receive the events that are configured in the selected template and will log them in a log file in the format specified by the logging template.\\ 
 +Other output such as [[pom-ng:output:pcap_file]] will save the packets into a pcap file or the output [[pom-ng:output:file|file]] will save payloads in a file. 
 + 
 +===== Configuration ===== 
 + 
 +In order to configure pom-ng, you must tell it how to read the packets and what output you want.\\ 
 +Let's use a simple example that log all the HTTP requests being sniffed from your interface into a log file that looks like the apache log file. 
 + 
 +==== 1) Configure the input ==== 
 +You must first choose which input you want. The one we want is [[pom-ng:input:pcap_interface|pcap_interface]] to capture packets from an interface.\\ 
 +We will add our new input and name it 'input1'
 +  pom> input add pcap_interface input1 
 +  input 'input1' added 
 + 
 +As we can see, out input has been added and will be listening to the interface eth0 by default. However it is not yet running so it is not capturing any packet. 
 +  pom> input show  
 +  input1: (running: no, type: pcap_interface) 
 +          interface : 'eth0' (string) 
 +          promisc : 'no' (bool) 
 + 
 +==== 2) Configure the output ==== 
 +We will now tel pom-ng to save all the HTTP requests that it finds out into a log file. For this, we will use the output [[pom-ng:output:log_txt|log_txt]] and we will name it apache_logs : 
 +  pom> output add log_txt apache_logs 
 +  output 'apache_logs' added 
 + 
 +A quick look at the output configuration and we can see that no template is defined and that the output is not running : 
 +  pom> output show  
 +  apache_logs: (running: no, type: log_txt) 
 +          prefix : './' (string) 
 +          template : '' (string) 
 + 
 +So we will use the template 'http_apache'. This template saves the files in the http.log file. The filename will be prepended by the prefix. Since we want to save it in /tmp/http.log, we will also change the prefix to '/tmp/'
 + 
 +  pom> output parameter set apache_logs template http_apache 
 +  Parameter of output 'template' changed from  to http_apache 
 +  pom> output parameter set apache_logs prefix /tmp/ 
 +  Parameter of output 'prefix' changed from ./ to /tmp/ 
 +   
 +==== 3) Start everything ==== 
 + 
 +Now that both the input and the output are configured, we only have to start them : 
 +  pom> output start apache_logs  
 +  Parameter of output 'running' changed from no to yes 
 +  pom> input start input1  
 +  Parameter of input 'running' changed from no to yes 
 + 
 +You should now find a file /tmp/http.log containing all the http requests that you will perform on your computer.\\ 
 +Now is also a good time to save your configuration if you are satisfied with it : 
 +  pom> config save http_logging 
 +  Registry configuration saved as "http_logging" 
 +   
 + 
pom-ng/getting_started.1359202099.txt.gz · Last modified: 2020/05/26 21:59 (external edit)