Pycapa is an open source tool to handle packet capture ingestion for OpenSOC. It is intended as a testing and development tool. It is not performant enough for production operations. The tool will capture packets from a specified interface and push them into a Kafka Topic in a format understandable by OpenSOC's PcapParserBolt.
First install the required packages with pip:
pip install -r requirements.txt
Then install pycapa:
python setup.py install
usage: pycapa.py [-h] [-t TOPIC] [-z ZOOKEEPER] [-l] [-d] -i INTERFACE
optional arguments:
-h, --help show this help message and exit
-t TOPIC, --topic TOPIC
topic to produce to
-z ZOOKEEPER, --zookeeper ZOOKEEPER
zookeeper server
-l, --local print packet instead of send to kafka
-d, --debug enable debug messages
-i INTERFACE, --interface INTERFACE
interface to listen on
Each kafka message corresponds to a single packet capture from the wire. A kafka message can be thought of as a single packet libpcap capture file. It contains the Global Header, the Packet Header, and the packet data.