Skip to content
Snippets Groups Projects
Select Git revision
0 results
Name Last commit Last update
LICENSE
README.md
hp_capture.sh
README.md

Honeypot Traffic Capture Script

This script captures network traffic from specified ports on a given network interface and rotates the PCAP files based on a configurable maximum file size. It also detects periods of inactivity and ensures the traffic capture process is always running.

Features

  • Configurable Ports: Specify one or more ports to monitor.
  • File Rotation: Automatically rotates PCAP files when they exceed a defined size limit.
  • Inactivity Handling: Detects inactivity and rotates files after a set threshold.
  • Process Monitoring: Restarts the capture process if it unexpectedly stops.
  • Daemon Mode: Runs continuously as a background process.

Prerequisites

  1. Linux Environment with bash shell.
  2. tcpdump installed (sudo apt install tcpdump or equivalent).
  3. Sufficient permissions to run tcpdump (e.g., root or CAP_NET_ADMIN capability).

Configuration

The script can be customized by modifying the following variables:

Variable Description Example Values
PORTS Comma-separated list of ports to capture traffic on. 11434 or 11434,11435
NIC Network interface to monitor. eth0, ens192, any
MAX_SIZE_MB Maximum size (in MB) for each PCAP file before rotation. 50
OUTPUT_DIR Directory where PCAP files will be saved. ./pcaps

Usage

  1. Clone the repository:
   git clone <your-gitlab-repo-url>
   cd <repo-directory>
  1. Make the script executable:
chmod +x hp_capture.sh
  1. Start the script:
nohup ./hp_capture.sh > /dev/null 2>&1 &
  1. To stop the script, identify the process ID and terminate it:
ps -ef | grep hp_capture.sh
kill -9 <PID>

Daemon Setup

To ensure the script runs as a daemon and restarts automatically, use a systemd service. Create a systemd Service File

  1. Create a service file:
sudo vi /etc/systemd/system/hp_capture.service
  1. Add the following content:
[Unit]
Description=Honeypot Traffic Capture Daemon
After=network.target

[Service]
ExecStart=/path/to/hp_capture.sh
Restart=always
RestartSec=5
StandardOutput=null
StandardError=null

[Install]
WantedBy=multi-user.target

Replace /path/to/hp_capture.sh with the full path to the script.

  1. Reload the systemd configuration:
sudo systemctl daemon-reload
  1. Enable the service to start on boot:
sudo systemctl enable hp_capture.service
  1. sudo systemctl start hp_capture.service
sudo systemctl start hp_capture.service
  1. Check the service status:
sudo systemctl status hp_capture.service

Logs

Output logs are stored in the directory specified by OUTPUT_DIR. If running under systemd, use journalctl to view service logs:

journalctl -u hp_capture.service