Reads from files or interface and writes to files in specified directory with filename based on unixtime of first packet in each file. Certain protocols can be suppressed, in which case only the first N packets are recorded to disk. This reduces disk usage saving data which is of little value, such as TLS or VPNs.
Requires
- libtrace
- libflowmanager
- libprotoident
These are all available to download from http://research.wand.net.nz/software/
Suggested invocation
baskerville -d pcapfile:/data/pcap -f 100M -l 10 -s HTTPS,OpenVPN ring:eth0
Dumps packets from eth0 to pcap files in /data/pcap split into 100Mb chunks. Where HTTP and OpenVPN sessions are detected then only the first 10 packets are saved to the pcap.
This version is BETA. Use at your own risk!
Selective protocol extractor from PCAPs or interfaces
Released as open source by NCC Group Plc - http://www.nccgroup.com/
Developed for John Green, cirt at nccgroup dot com
https://github.com/nccgroup/baskerville
Released under AGPL see LICENSE for more information