pom:getting_started
Differences
This shows you the differences between two versions of the page.
— | pom:getting_started [2020/05/26 21:59] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ===== Getting started ===== | ||
+ | First, start packet-o-matic. This will start the program without any configuration. | ||
+ | packet-o-matic | ||
+ | |||
+ | At this point, packet-o-matic listens on port 4655. Simply telnet it and start configuring it. | ||
+ | telnet localhost 4655 | ||
+ | |||
+ | You can also use the web interface. If you compiled it with xmlrpc-c support, start with the -X switch to enable the web interface. | ||
+ | packet-o-matic -X | ||
+ | Then you can simply point your browser to [[http:// | ||
+ | |||
+ | To have a quick reference of all the parameters of each modules, you can run | ||
+ | packet-o-matic -h | ||
+ | This is useful to have the list of all the match and their parameters. | ||
+ | |||
+ | You have to perform the following tasks to get a running configuration : | ||
+ | * choose an input type and configure it | ||
+ | * add the rules you need | ||
+ | * add the targets you need | ||
+ | * save the config | ||
+ | |||
+ | |||
+ | ===== Real life example ===== | ||
+ | |||
+ | |||
+ | The following example start an input pcap on eth0 (the default) and dump all the images that goes over HTTP on port 80 : | ||
+ | |||
+ | We use input pcap to sniff traffic on an network card. By default input_pcap will sniff on eth0. | ||
+ | pom> input type set pcap | ||
+ | |||
+ | Our input now looks like this : | ||
+ | pom> input show | ||
+ | Current input : pcap, mode interface (0 packets, 0 bytes) | ||
+ | interface = eth0 | ||
+ | snaplen = 1522 bytes | ||
+ | promisc = no | ||
+ | filter = | ||
+ | |||
+ | We want to match everything destinated to the port 80. Packet in reverse direction will automatically found by the connection tracking modules. | ||
+ | pom> rule add tcp.dport == 80 | ||
+ | Added rule with id 0 | ||
+ | |||
+ | As you can see, the rule has been created but is currently disabled : | ||
+ | pom> rule show | ||
+ | Rule 0 (0 pkts, 0 bytes) (disabled) : | ||
+ | tcp.dport == 80 | ||
+ | |||
+ | Thus we need to enable rules so it will process packets : | ||
+ | pom> rule enable 0 | ||
+ | |||
+ | We use target_http to dump parts of the HTTP traffic into files. We add this target to the rule 0. By default, target_http will dump everything into /tmp. | ||
+ | pom> target add 0 http | ||
+ | Added target with id 0 to rule 0 | ||
+ | |||
+ | Enable dumping the images. We want to dump the images | ||
+ | pom> target parameter set 0 0 dump_img yes | ||
+ | |||
+ | If everything went fine, your target should look like this : | ||
+ | pom> target show | ||
+ | Rule 0 : targets (0 pkts, 0 bytes) : | ||
+ | 0) http, mode default (0 pkts, 0 bytes) (stopped) | ||
+ | prefix = /tmp | ||
+ | decompress = yes | ||
+ | mime_types_db = / | ||
+ | log_file = | ||
+ | log_format = %v %a %u %t " | ||
+ | dump_img = yes | ||
+ | dump_vid = no | ||
+ | dump_snd = no | ||
+ | dump_txt = no | ||
+ | dump_bin = no | ||
+ | dump_doc = no | ||
+ | |||
+ | |||
+ | We can now start the target we just added. | ||
+ | pom> target start 0 0 | ||
+ | |||
+ | Finaly we start the input to capture packets and start dumping the images. | ||
+ | pom> input start | ||
+ | |||
+ | To save our changes we simply write the configuration | ||
+ | pom> config write | ||
+ | Configuration written in pom.xml.conf | ||
+ |
pom/getting_started.txt · Last modified: 2020/05/26 21:59 by 127.0.0.1