EDR: How to Collect a Packet Capture from OSX Sensor
Article ID: 287635
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
How to collect packets on the network interface for analysis.
Environment
- EDR Server: 7.5 and higher
- EDR Sensors: OSX 7.x and higher
Resolution
There are two methods to collect packets on an OSX sensor.
1. In the EDR Console, select the OSX sensor and select the "Go Live" button. Once connected to the sensor, in the Go Live terminal window:
a. Determine the correct interface name needed to capture packets.
execfg ifconfig
b. Run tcpdump filtering on the traffic needed. The count number is needed to terminate the tcpdump command, the count should be large enough to capture the traffic needed.
execfg tcpdump -nni <interface name> -c <number of packets expected> -vw <full path to collection file> host <IP address of interest> and port <port of interest> Example: execfg tcpdump -nni en0 -c 20 -vw /tmp/dumpfile.pcap host 172.16.48.120 and port 443c. Get (pull) the packet capture file from the sensor to the local administrator's endpoint.
get <full path of pcap file> Example: get /tmp/dumpfile.pcapd. Remove the packet capture file.
execfg rm -f /tmp/dumpfile.pcape. Detach the Live Response session.
detach session list session close <session number of the OSX sensor>
2. Remotely connect to the sensor (perhaps SSH) and from the Terminal run:
a. The tcpdump command filtering on the traffic needed. The count option is not necessary since a 'Ctl+c' can terminate the tcpdump process.
tcpdump -nni <interface name> -vw <full path to collection file> host <IP address of interest> and port <port of interest> Example: tcpdump -nni en0 -vw /tmp/dumpfile.pcap host 172.16.48.120 and port 443
Additional Information
- The tcpdump count field is needed within Go Live to avoid hanging the session. If the session hangs, please view the link below to reset Live Response.
Feedback
Yes
No
Powered by
