User Tools

Site Tools


pom-ng:getting_started

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
pom-ng:getting_started [2013/01/26 12:08]
188.143.232.12 KQvPZnoeFTAigs
pom-ng:getting_started [2013/01/27 19:39] (current)
gmsoft old revision restored
Line 1: Line 1:
-There is a crticail shortage ​of informative articles ​like this.+====== Getting started ====== 
 + 
 +Before going into the configuration part, it is best to understand how pom-ng works. 
 + 
 +===== Processing steps ===== 
 + 
 +==== 1) Packets are read from an input ==== 
 +Packets can be read from multiple sources. In order to be able to read packets from various sources, pom-ng has few input. The most common ones are the following : 
 +  * Input [[pom-ng:​input:​pcap_interface|pcap_interface]] reads packets from a network interface on your system 
 +  * Input [[pom-ng:​input:​dvb_c|dvb_c]] reads MPEG-TS packets from a DVB-C card 
 +  * Input [[pom-ng:​input:​pcap_file|pcap_file]] reads packets from a pcap file 
 +  * Input [[pom-ng:​input:​pcap_dir|pcap_dir]] reads packets from a multiple files in a single directory 
 + 
 + 
 +You can configure multiple inputs and run them at the same time. 
 + 
 +==== 2) Packets are analyzed ==== 
 + 
 +At this step, pom-ng analyze the packets coming from the input. It finds out what protocol chain are inside the packets and decode the headers ​of each protocol that will be useful for later processing. It will also keep track of packets related to a single connection. This job is done by the protocol aka proto modules.\\ 
 +For higher layer protocol such as [[pom-ng:​proto:​http|HTTP]],​ events will be generated that contain information about a specific protocol event. For instance, the HTTP protocol has 2 events : http_query and http_response. The http_query event contains all the information about the query from the client. The http_response event contains all the information about the reply from the server. 
 + 
 +==== 3) Protocol events are processed ==== 
 + 
 +Most of the time, protocol events alone are not very useful. In the case of the http_query and http_request events, it is not easy to correlate a query with a request. This is why the http analyzer will listen for those two events and create a new event called http_request that will contain informations about a single HTTP transaction. It will contain both the info from the client and the server with additional informations that will be computed by correlating the two events. 
 + 
 +==== 4) Packets/​protocol payloads are analyzed ==== 
 + 
 +Some protocols cary files or payload. The payload analyzers will check the content of the payload and provide useful information about it for later filtering. For example, the [[pom-ng:​analyzer:​jpeg|jpeg]] analyzer will provide the width and height of the image. 
 + 
 +==== 5) Outputs receive events, payloads and raw packets ==== 
 + 
 +The output will then receive the events that were generated or the payloads. Depending on what the output does, it will act accordingly. For example the [[pom-ng:​output:​log_txt]] will receive the events that are configured in the selected template and will log them in a log file in the format specified by the logging template.\\ 
 +Other output such as [[pom-ng:​output:​pcap_file]] will save the packets into a pcap file or the output [[pom-ng:​output:​file|file]] will save payloads in a file. 
 + 
 +===== Configuration ===== 
 + 
 +In order to configure pom-ng, you must tell it how to read the packets and what output you want.\\ 
 +Let's use a simple example that log all the HTTP requests being sniffed from your interface into a log file that looks like the apache log file. 
 + 
 +==== 1) Configure the input ==== 
 +You must first choose which input you want. The one we want is [[pom-ng:​input:​pcap_interface|pcap_interface]] to capture packets from an interface.\\ 
 +We will add our new input and name it '​input1'​. 
 +  pom> input add pcap_interface input1 
 +  input '​input1'​ added 
 + 
 +As we can see, out input has been added and will be listening to the interface eth0 by default. However it is not yet running so it is not capturing any packet. 
 +  pom> input show  
 +  input1: (running: no, type: pcap_interface) 
 +          interface : '​eth0'​ (string) 
 +          promisc : '​no'​ (bool) 
 + 
 +==== 2) Configure the output ==== 
 +We will now tel pom-ng to save all the HTTP requests that it finds out into a log file. For this, we will use the output [[pom-ng:​output:​log_txt|log_txt]] and we will name it apache_logs : 
 +  pom> output add log_txt apache_logs 
 +  output '​apache_logs'​ added 
 + 
 +A quick look at the output configuration and we can see that no template is defined and that the output is not running : 
 +  pom> output show  
 +  apache_logs:​ (running: no, type: log_txt) 
 +          prefix : './' (string) 
 +          template : ''​ (string) 
 + 
 +So we will use the template '​http_apache'​. This template saves the files in the http.log file. The filename will be prepended by the prefix. Since we want to save it in /​tmp/​http.log,​ we will also change the prefix to '/​tmp/'​ : 
 + 
 +  pom> output parameter set apache_logs template http_apache 
 +  Parameter of output '​template'​ changed from  to http_apache 
 +  pom> output parameter set apache_logs prefix /tmp/ 
 +  Parameter of output '​prefix'​ changed from ./ to /tmp/ 
 +   
 +==== 3) Start everything ==== 
 + 
 +Now that both the input and the output are configured, we only have to start them : 
 +  pom> output start apache_logs  
 +  Parameter of output '​running'​ changed from no to yes 
 +  pom> input start input1  
 +  Parameter of input '​running'​ changed from no to yes 
 + 
 +You should now find a file /​tmp/​http.log containing all the http requests that you will perform on your computer.\\ 
 +Now is also a good time to save your configuration if you are satisfied with it : 
 +  pom> config save http_logging 
 +  Registry configuration saved as "​http_logging"​ 
 +   
 + 
pom-ng/getting_started.txt · Last modified: 2013/01/27 19:39 by gmsoft