Accessing and Getting Captures

Jump to: Getting captures off | Dealing with large captures

If you are looking for information about purchasing and deploying sniffers you need: Setup and Installation
More advanced usage (like handling large captures) is covered in Beyond the basics

Basic use of the sniffers

The device will boot up immediately on power up and will start capturing from both ports automatically.
As soon as a port mirror is set up the sniffer will monitor the traffic as it is already capturing.

If these are attached to a Juniper then you can access them by logging in from the switch itself.
From Cisco devices you will need to set up a route to access the management IP from a jump box.

Once you set up access to the management port you can access it on 192.168.2.1/24
Login using SSH as USER: sniffer/PASSWORD: sniffer and the captures will be in /data01/

After you have the access you can reconfigure the device to use the allocated IP, set up the networking and set the password.
The sniff port is allocated 192.168.1.1/24 so if the cabling is set up wrongly you can still access and configure the device.

You can copy the pcap files from /data01/ on the box to your
desktop using scp (WinSCP for Windows) then inspect them in wireshark.

Getting captures off

This follows on from the Setup and Installation guide.

This is a worked example of me getting captures off a sniffer which has MGMT port on S*****.**1
and the captures are in folder /data01/au on the sniffer.

In this example the sniffer actually has had a MGMT IP assigned,
but this example will work for a device which is still in default configuration (no address assigned).


You can get captures off the sniffers by copying them off with WinSCP and PuTTY.

In case you don't have it: PuTTY Download

Create a session for d******2, but don't open it yet:


Add a tunnel to this:


Click "Add" then open this and login:


When the d****2 is connected: create another session for the switch:


Add a tunnel to this too:

Click "Add", open this and login.

So you have 2 open sessions one for d*****2 and one for the switch.

So in the switch session find the IP of the sniffer:

I did this by looking for the description, then querying the interface.

It may have IP 192.168.2.2 on the interface in which case the sniffer is on the default 192.168.2.1.
In this case it's 6*.**.**.**8 so the sniffer is on 6*.**.**.**7 (it might also have been on .109)

In case you don't have it: WinSCP download

So set up a WinSCP session to the sniffer:


The open the session and navigate to the capture folder in the right pane:


NOTE: If you are getting a dialog complaining about permissions

Go to the session which is logged into the sniffer and do this:
s*****r@s******001:~$ sudo chmod -R a+rw /data01
[sudo] password for s*****r:(not shown)
s*****r@s******001:~$

What next? Beyond the basics -chopping up large captures, etc