Copying raw pcap from Security Onion 2.*.* to another system for processing

[cyb3rslack3r]

Never considered this would be a problem in SO 2 since I used to copy raw pcap files from SO 16 and had no problem reading them in other tools like wireshark, but with the way stenographer stores the pcap in SO 2 it seems that this can not be accomplished anymore. So my question is how would I copy data from the /nsm/pcap onto another system where it can be read like normal pcap? I have seen some of the write ups talking about using the stenoread command and writing to a tmp file, but I want to copy all the pcap data on a server that is almost full and there is not space to write the pcap out again to copy off. Does anybody know a good quick and dirty script or command that will allow me to copy all the pcap SO 2 captured to another box or external storage and transform it to be read by all pcap tools? Thanks

[darth-drew]

The solution my shop came up with was to copy all the steno (nsm/pcap and nsm/pcap index) files to a SAN. We then use a sensor joined to the grid (so it has the certs to read those steno files) to stenoread what we want based on timestamp and originating sensor name. This approach has the added benefit of being able to add parameters to what is being sent through stenoread, to get a .pcap file that’s focused on what specifically you are looking for.

An alternate approach is to disable steno through the minion pillars, but this causes other issues. You might also consider piping the traffic to a secondary destination at the physical layer.

I can provide more details if necessary.

[cyb3rslack3r]

I like your solution but it won't work in our situation. We need to dump our pcap to another group that will run the raw pcap through a different set of tools. I thought about attaching a large external drive to the sensor and seeing if I can write a generalized stenoread command to dump everything from a certain set of dates. That way I wouldn't have to combine it into only one 20tb file. Not sure if that will work but I will test tomorrow

[Universalsoldja]

Never considered this would be a problem in SO 2 since I used to copy raw pcap files from SO 16 and had no problem reading them in other tools like wireshark, but with the way stenographer stores the pcap in SO 2 it seems that this can not be accomplished anymore. So my question is how would I copy data from the /nsm/pcap onto another system where it can be read like normal pcap? I have seen some of the write ups talking about using the stenoread command and writing to a tmp file, but I want to copy all the pcap data on a server that is almost full and there is not space to write the pcap out again to copy off. Does anybody know a good quick and dirty script or command that will allow me to copy all the pcap SO 2 captured to another box or external storage and transform it to be read by all pcap tools? Thanks

Hi, I was wondering if you found a solution for this? I have nearly a terabyte of data I need to analyze.

[cyb3rslack3r]

StenoToPcapExport2.txt
My co-worker created this script to automate copying the steno pcap to standard pcap. Just change the extension to .py. Might be some other changes you need to make in the script, but I haven't used it in months so I don't remember offhand. Good luck

[cyb3rslack3r]

Attached script answers the question

[mitcht02]

I see it has been a few years but I'm coming across this issue right now. Has there been another solution?

[cyb3rslack3r]

I think the script had to be changed a while back because of some changes, but I don't think SO has come up with any other solutions for converting to PCAP. I don't currently use SO for my job so i'm not sure what works now.