Chapter 2 Setup
2.1 Use a Project
One of the great features of RStudio is the ability to create projects which is an organized directory tree that contains code and, optionally, data which can be opened in its own RStudio environment. You can hit the just-provided link if you’re sure how to create a project and just follow the steps to create it. You’ll see references to packet-maze-example
throughout the chapters since that’s the name of the project used for the examples. You can also just clone the project via:
$ git clone git@github.com:hrbrmstr/packet-maze-example
2.2 Test Package Loading
Once you have the project loaded into RStudio, try the following to see if you’ve got the packages installed properly:
library(glue, include.only = "glue")
library(jsonlite, include.only = "fromJSON")
library(stringi, include.only = c("stri_replace_all_regex", "stri_replace_all_fixed", "stri_detect_fixed"))
library(exif)
library(sf)
library(magick)
library(tidyverse)
If you were brave and installed the source-only package, you can test loading it as well:
library(MACtools)
If no errors show up, then you’re good-to-go as far as R is concerned.
2.3 Test Command Line Tool Access
Now we’ll see if zeek
and tshark
are available via R:
system("/opt/zeek/bin/zeek -v", intern = TRUE) # use the path to your own Zeek installation or ensure it's on the system PATH
## [1] "/opt/zeek/bin/zeek version 4.0.3"
system("/usr/bin/tshark -v", intern = TRUE) # use the path to your own tshark installation or ensure it's on the system PATH
## [1] "TShark (Wireshark) 3.4.4 (Git v3.4.4 packaged as 3.4.4-1ubuntu1)"
## [2] ""
## [3] "Copyright 1998-2021 Gerald Combs <gerald@wireshark.org> and contributors."
## [4] "License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>"
## [5] "This is free software; see the source for copying conditions. There is NO"
## [6] "warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
## [7] ""
## [8] "Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,"
## [9] "with GLib 2.67.5, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.17.1, with Lua"
## [10] "5.2.4, with GnuTLS 3.7.0 and PKCS #11 support, with Gcrypt 1.8.7, with MIT"
## [11] "Kerberos, with MaxMind DB resolver, with nghttp2 1.43.0, with brotli, with LZ4,"
## [12] "with Zstandard, with Snappy, with libxml2 2.9.10."
## [13] ""
## [14] "Running on Linux 5.11.0-22-generic, with Intel(R) Xeon(R) CPU E5-2630 v2 @"
## [15] "2.60GHz (with SSE4.2), with 128867 MB of physical memory, with locale"
## [16] "en_US.UTF-8, with libpcap version 1.10.0 (with TPACKET_V3), with GnuTLS 3.7.1,"
## [17] "with Gcrypt 1.8.7, with brotli 1.0.9, with zlib 1.2.11, binary plugins supported"
## [18] "(0 loaded)."
## [19] ""
## [20] "Built using gcc 10.2.1 20210312."
Finally, make a project sub-directory called maze
and put the downloaded PCAP in there with a name of maze/maze.pcapng
and see if we can reach it from R:
list.files("maze")
## [1] "conn.log" "dns.log" "files.log"
## [4] "ftp-q.json" "ftp-q1.json" "ftp.log"
## [7] "hosts.txt" "http.log" "maze.pcapng"
## [10] "maze.txt" "packet_filter.log" "proton-q.json"
## [13] "ssl.log" "tunnel.log" "weird.log"
## [16] "x509.log"
(You should see the maze.pcapng
file listed).
2.4 Tweak Zeek Configuration
One of the questions requires discovering an FTP password. By default, Zeek won’t extract passwords when processing PCAPs (thanks, nigh-useless compliance regimes) so you need to locate your local.zeek
configuration file (see the Zeek Quick Start for where to look) and add this line to disable the password masking:
redef FTP::default_capture_password = T;
You may also want to validate that your local Zeek install has share/zeek/policy/protocols/conn/mac-logging.zeek
accessible since we’ll be invoking it with that feature.