This project builds virtual machine which can be used for analytics of tshark -T ek (ndjson) output. The virtual appliance is built using vagrant, which builds Debian 10 with pre-installed and pre-configured ELK stack.
After the VM is up, the process is simple:
- decoded pcaps (
tshark -T ek output
/ ndjson) are sent overTCP/17570
to the VM - ELK stack in VM will process and index the data
- Kibana is running in VM and can be accessed on
https://127.0.0.1:15601/app/kibana#/dashboards
git clone https://github.com/H21lab/tsharkVM.git
sudo apt update
sudo apt install tshark virtualbox vagrant
bash ./build.sh
# copy your pcaps into ./Trace
# run following script
bash upload_pcaps.sh
# or use tshark directly towards 127.0.0.1 17570/tcp
tshark -r trace.pcapng -x -T ek > /dev/tcp/localhost/17570
firefox https://127.0.0.1:15601/app/kibana#/dashboards
cd ./VM
vagrant ssh
cd ./VM
vagrant destroy default
cd ./VM
vagrant up
cd ./VM
vagrant halt
cd ./VM
vagrant ssh
sudo systemctl status kibana.service
sudo systemctl status elasticsearch.service
sudo systemctl status logstash.service
Program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY.
The default license of source codes provided inside this project is the Apache License v2.0. Additionally refer to individual licenses and terms of used of installed software (see licenses for Wireshark, Elastic and other).
Created by Martin Kacer
Copyright 2020 H21 lab, All right reserved, https://www.h21lab.com