PCAP Schedules

Manage PCAP schedules by using the Sensors ► Capture ► PCAP schedules page.

In this article, we will discuss the PCAP scheduling section of Capture Orchestration. PCAP scheduling is for scheduling packet capture events; you can create a PCAP schedule to record network traffic within a specific set of criteria, as specified by the settings in the schedule.

If you need to create the PCAP schedule using windows, see section below.

Main View

Upon clicking the PCAP schedules tab, you will be presented with a table view; you can see the table of many schedules that have been created in the past as well as their current status.

Note that you may run or schedule a packet capture on selected Capture Sensors immediately, in the future but, for obvious reasons, you can not choose to schedule one in the past.

Creating a new PCAP schedule

Note: Only sensors starting at version 23.04 appear in the selection

1. Click the ➕ button in the top-right corner to create a new PCAP schedule.
2. Complete the required fields.
   • Many of the configuration settings have tooltips explaining their purpose.
   • Max duration is 7 days
   • Max file size is 1 GB
     

In the Custom filter (tcpdump) field under the Advanced settings, you may choose to enter custom filtering. Note that this will override certain settings you stated here and, as such, these settings are recommended for adavanced users only.

3. Click the checkmark in the top-right corner of the sidebar to save and create your new PCAP schedule.

4. Once created, the schedule will be pending. Click the Refresh button in the local view, not the web browser's Refresh button, to see any changes reflected in the status.

5. When the schedule completes, you may download the PCAP file for offline analysis. For an immediate schedule, it would likely be complete by now.

• If you choose to do so, you may delete your PCAP schedule by clicking Delete.
• You may clone the schedule by clicking the Copy button.
• The table contents can be filtered and are paginated. Thus, the contents will be limited to a maximum number of results (as set by the user) and the current page of contents can be changed.

The resulting capture files are encrypted. you can download them by selecting the PCAP schedule and clicking the Download button. In addition, you can see that for each schedule, any capture files that it produces, are seen in the list below.

Managing Encryption Keys

You can manage the encryption (GnuPG) keys through this UI. If there is no key uploaded, a pop-up message will appear, informing you that a key is missing and to upload a new GnuPG key. Otherwise, your schedules will immediately fail. For further details, see Uploading a new GnuPG key.

You can see the current key fingerprint and other details, learn when it will expire, and receive a brief history of the previous uploads.

To get started, download and install the GnuPG command line tools for your operating system. It is commonly advisable to install the latest version for your operating system.

Checking for existing GnuPG keys

Prior to generating a GnuPG key, check to see if you already have any existing GnuPG keys.

To check for existing GnuPG keys

1. Open the console.

2. Use the gpg --list-secret-keys --keyid-format=long command to display the long form of the GnuPG keys for which you have both a public and private key.

   As previously mentioned, note that a private key is needed to read encrypted files (such as encrypted PCAP files that will get produced on Capture Sensors).

$ gpg --list-secret-keys --keyid-format=long

3. Verify the command output to detect if you have a GnuPG key pair.

gpg --list-secret-keys --keyid-format=long
/home/jdoe/.gnupg/pubring.kbx
------------------------------------
sec   4096R/E112110E159CAAF7 2020-01-01 [expires: 2025-01-01]
uid                          John Doe 
ssb   4096R/B190940F788985D2 2020-01-01

• If there are no GnuPG key pairs, simply generate a new GnuPG key.

4. From the list of GnuPG keys, copy the long form of the GnuPG key ID that you would like to use. For this example, the GnuPG key ID is E112110E159CAAF7:

gpg --list-secret-keys --keyid-format=long
/home/jdoe/.gnupg/pubring.kbx
------------------------------------
sec   4096R/E112110E159CAAF7 2020-01-01 [expires: 2025-01-01]
uid                          John Doe 
ssb   4096R/B190940F788985D2 2020-01-01

5. Paste the text below, replacing with the GnuPG key ID that you would like to use. For this example, the GnuPG key ID is E112110E159CAAF7:

$ gpg --armor --export E112110E159CAAF7
# Prints the GPG key ID, in ASCII armor format

6. Copy your GnuPG key, starting with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.

7. Write the GnuPG key to a file, and upload this file as seen in the section Uploading a new GnuPG key.

Generating a new GnuPG key

If you don't already have a GnuPG key, you can generate a new GnuPG key.

To generate a new GnuPG key

1. Open the console.

2. Generate a GnuPG key pair. Because there are numerous GnuPG versions, you may have to refer to the applicable man page in order to locate the relevant key generation command. Note that the key must use RSA.

• If you are on version 2.1.17 or greater, paste the text below to generate a GnuPG key pair.

$ gpg --full-generate-key

• If you are not on version 2.1.17 or greater, the gpg -full-generate-key command will not work. Simply paste the text below and then skip to step 5.

$ gpg --default-new-key-algo rsa4096 --gen-key

3. Once at the prompt, determine the kind of key you would like, or simply press Enter to accept the default.

4. At the prompt, determine the key size that you would like, or press Enter to accept the default. Note that your key must be 4096 bits at the minimum.

5. Enter the length of time the key should be valid. Press Enter to specify the default selection and signify that the key does not expire.

6. Validate that your selections are accurate.

7. Enter your user ID information.

8. Create a secure passphrase.

9. Use the gpg --list-secret-keys --keyid-format=long command in order to list the long form of the GnuPG keys for which you have both a public and private key.

$ gpg --list-secret-keys --keyid-format=long

10. From the list of GnuPG keys, copy the long form of the GnuPG key ID that you would like to use. For this example, the GnuPG key ID is E112110E159CAAF7:

gpg --list-secret-keys --keyid-format=long
/home/jdoe/.gnupg/pubring.kbx
------------------------------------
sec   4096R/E112110E159CAAF7 2020-01-01 [expires: 2025-01-01]
uid                          John Doe 
ssb   4096R/B190940F788985D2 2020-01-01

11. Paste the text below, replacing with the GnuPG key ID that you would like to use. For this example, the GnuPG key ID is E112110E159CAAF7:

$ gpg --armor --export `E112110E159CAAF7`
# Prints the GPG key ID, in ASCII armor format

12. Copy your GnuPG key, starting with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.

13. Write the GnuPG key to a file, and upload this file as seen in Uploading a new GnuPG key.

Uploading a new GnuPG key

To upload a new GnuPG key

If a GnuPG key has not already been uploaded to the system, you will be prompted with a message asking to do so.

If you select Not right now, you can still issue schedules but they will fail.

1. Click Upload a GnuPG public key...
   

2. Navigate to where your keys are stored.

3. Click Open.
   Your GnuPG key is now uploaded to the system and encrytion is enabled.
   

• You will see relevant information for your current key and can view a historical list of past keys that have been posted.
• If your GnuPG key has expired, a notification will appear in the top toolbar of your screen. Clicking the notification will present you with the option to upload the key. Once uploaded, the message will disappear.

For more information, see PCAP Download and GPG Keys to Download.

PCAP Schedule for Windows Users:

To create PCAP schedules using windows:

1. Go to GnuPG Download and download Gpg4win.
   This will install kleopatra.
2. Once this has been installed, open kleopatra:
   File –> New OpenPGP key pair
3. Type in your email, and click OK.
   This will prompt a notification that the creation was successful!
4. Choose Export to export the key to your laptop (IMPORTANT: will be used later in the pcap schedule.)
5. Go to capture section, PCAP schedules.
6. When prompted to upload key, click upload.
7. Choose the key that was exported in step 4.
   If the upload is successful, you will see the key with the expiry date.
8. Create the pcap schedule, once finished, it will be ready for download.
9. Download the pcap from the above step.
10. Open kleopatra and select the Decrypt/verify option.
11. Select the pcap file you downloaded and save.
    This will decrypt the file and convert it to a .pcap file.

This file can be now opened and viewed using wireshark!