ANTFARM/Printable version
This is the print version of ANTFARM You won't see this message or any elements not part of the book's content when you print or preview this page. |
The current, editable version of this book is available in Wikibooks, the open-content textbooks collection, at
https://en.wikibooks.org/wiki/ANTFARM
General
Commands for setting up and running Posgresql Database with Antfarm.
Whether you are running Antfarm with a self-defined environment (reflected in defaults.yml file) or with the default environment, the following Antfarm Commands are useful.
Traceroute
This is a work in progress as of 12/3/08.
Assuming that the user is implementing the latest version of Antfarm, which uses postgresql database. If you are using Antfarm that does not use postgresql database, you can use the following instructions to get started.
Now that you are using Antfarm with postgresql database, use the following Commands to set up your database to be filled with good information!
Parsing a traceroute file using Antfarm:
For your traceroute file:
1. Save your traceroute file as a .txt file (this will be referred to as <traceroute filename>)
NOTE: Your customized script will be automatically saved in the following location:
.antfarm/scripts
When you run the following command at the prompt ($):
$ antfarm
you will see the name of your customized script under "custom".
Run Antfarm traceroute script on your traceroute file (do not include brackets in filenames):
2. Run the following command at the prompt: $ antfarm -e <environment name> custom <traceroute script filename> <traceroute filename>
At this point, you have parsed your traceroute file (<traceroute filename>)using the custom traceroute script in Antfarm (<traceroute script filename>) and the parsed information is saved in your environment (<environment name>).
You can view the output on Antfarm by running the following command (3. For traffic view, 4. For network view):
3. $ antfarm -e <environment name> viz display-traffic 4. $ antfarm -e <environment name> viz display-networks
When displaying the traffic flow from a larger traceroute file, the visual becomes harder to read on the screen. Luckily there is an option that will help minimize this. The "collapse-ports" option allows you to only include one node for each port number discovered in the traceroute file.
5. $ antfarm -e <environment name> viz display-traffic—collapse-ports
The latest version of Antfarm the display is static, using the command above. If you wish to see an animated version of the display, use the following command (using display networks as an example):
6. $ antfarm viz display-networks—active
Sample traceroute script
PCAP
Parsing a PCAP file using Antfarm:
For your PCAP file:
1. Save your PCAP file as a text file (this will be further referred to as <pcap filename>)
NOTE: Your customized script will be automatically saved in the following location:
.antfarm/scripts
When you run the following command at the prompt ($):
$ antfarm
you will see the name of your customized script under "custom".
Run Antfarm pcap script on your pcap file (do not include brackets in filenames unless they are a part of the filename):
2. Run the following command at the prompt: $ antfarm -e <environment name> custom <PCAP script filename> <PCAP text file>
3. For Antfarm version 0.3.0, the parse-pcap-file requires that network entries already exist in the database for BOTH the source IP and destination IP for any record in the pcap file or it will quietly ignore the record. For the newer version of Antfarm, if you use the—create-new-networks flag, it will create the network entry for any new IPs.
For use on a single PCAP file, use:
$ antfarm -e <environment name> custom <PCAP script> --create-new-networks <PCAP text file>
For use on a whole directory of PCAP files, use:
$ antfarm -e <environment name> custom <PCAP script> --create-new-newtorks <PCAP directory name/>
At this point, you have parsed your pcap file (<PCAP text file>)using a custom PCAP script in Antfarm (<PCAP script filename>) and the parsed information is saved in your environment (<environment name>).
You can view the output on Antfarm by running the following command (4. For traffic view, 5. For network view):
4. $ antfarm -e <environment name> viz display-traffic 5. $ antfarm -e <environment name> viz display-networks
When displaying the traffic flow from a larger PCAP file, the visual becomes harder to read on the screen. Luckily there is an option that will help minimize this. The "collapse-ports" option allows you to only include one node for each port number discovered in the PCAP file.
6. $ antfarm -e <environment name> viz display-traffic—collapse-ports
The latest version of Antfarm the display is static, using the command above. If you wish to see an animated version of the display, use the following command (using display networks as an example):
7. $ antfarm viz display-networks—active
Sometimes, the PCAP files that are produced are much too large, use the following command to downsize the PCAP file to a more reasonable size (through the number of packets):
8. $ editcap -r <Original PCAP Filename> <New PCAP Filename> <range of packets>
Example: $ editcap -r Old_PCAP_File New_PCAP_File 5001-7200 This example only takes packet numbers 5001-7200 from the old PCAP file and puts them in the new PCAP file.
Sample PCAP script