Packet Capture

The Device42 Packet Capture tool enables packet capture to be leveraged as a means of discovery [v16.00+]. Packet capture is capable of discovering service communication happening in real-time for any service listeners that are known to Device42, and therefore with packet capture, users can discover even those service communications that happen too infrequently to have been otherwise captured by scheduled discovery jobs.

Device42 Packet capture supports both individual and Promiscuous interfaces allowing you the flexibility to deploy and leverage packet capture in whatever way makes the most sense for your IT environment.

Prerequisites

• A functioning Device42 MA (destination for captured data), running v16.00.00+ or newer
• Network communication allowed from the machine you’ll be capturing packets on to your Device42 MA.
• An active network adapter connected to the target traffic capture network
• If using Windows, a WinPcap-compatible library (like npcap) must be installed – Be sure to select the option “install in API-Compatible mode”during setup!
• If using Linux, libpcap must be installed to support packet capture.
• OPTIONAL: Promiscuous mode [aka ‘monitor’ mode] enabled for the network and/or the interface of interest.

Reference the Packet Capture 101 video for a quick overview of D42 Packet Capture setup and usage.

Configuration

1. Download the appropriate version of the utility [Windows or *nix], and extract to the destination of your choice.
2. Place the configuration file d42pcap.json into the directory you extracted the utility into.
3. On Linux, symlink libpcap as required by the application, as the application is searching for the filename libpcap.so.1:
   1. sudo ln -s /usr/lib/x86_64-linux-gnu/libpcap.so.1.8.1 /usr/lib/x86_64-linux-gnu/libpcap.so.1
4. On Windows: no extra configuration needed.
5. Configure the utility by editing d42pcap.json. At minimum, configure the following sections to run the Packet Capture utility:
   1. Point the utility at your Device42 instance by inputting its IP, user, and PW into the ‘device42’ section of the config; save the file.
   2. Enter the name of your capture interface in the device property of the pcap section (use name as shown under `ipconfig` on windows, or `ifconfig` on Linux, e.g. `ens32`)
   3. Adjust the interval property of the common section; default is to relay 60-second chunks of capture data to Device42 so as not to overwhelm the MA if not using filtering and/or capturing traffic from many devices.
6. The utility may be installed to run as a Windows or Linux Service as desired. See “installing as a service” section of this document.

Executing the Packet Capture Utility

1. Ensure all prerequisites are met as described in the section of this document by the same name.
2. Configure the utility as described in the “Configuration” section above.
3. Execute the utility:
   • Windows:     c:\>  d42pcap.exe
   • Linux:     $ sudo ./d42pcap_linux_64
4. Optional runtime parameters are as follows:

Configuration File Definitions

Device42 Configuration

COMMON configuration

PCAP Configuration Section

CAPTURE Configuration Section

Installing D42 Packet Capture as a System Service

On Windows:

1. Simply execute with the ‘install-win-service’ flag or follow the instructions to create a new Linux service daemon.
   1. C:\> d42pcap -install-win-service

On Linux Daemon

1. To run the utility as a Linux daemon, create a service file like the following example in /etc/systemd/system:

[Unit]
Description=Device42 Packet Capture Utility

[Service]
PIDFile=/tmp/d42pcap.pid
User=root
Group=root
WorkingDirectory=/usr/bin
ExecStart=/usr/bin/d42pcap
Restart=always

[Install]
WantedBy=multi-user.target

2. Enable and then start the service:

sudo systemctl enable d42pcap.service
sudo systemctl start d42pcap.service