If you are not a Savvius Maintenance Customer but would like to purchase a Maintenance contract for your Savvius product please click here for sales information.
Category : Scripts
Submitted By : spacepacket
Downloaded : 185 Times
With the Forensics command line utility, you can make a forensics search to a local or remote OmniEngine. The resulting packets are aggregated into a single local trace file.
The Forensics command line is ideal for running forensics searches from machines that do not have OmniPeek Console installed, and for integrating OmniEngine captures into larger automated capture solutions.
The forensics utility requires OmniScript 5.2.14 or higher, and is also included with the OmniScript release.
Bonus: The source for this utility has also been posted.
Below is the usage and some sample command lines:
usage: forensics [-v] [-h hostname] [-d domain] [-a authentication] [-u username] [-p password] [-o output filename] [-s starttime (yy.mm.dd.hh.mm.ss)] [-e stoptime (yy.mm.dd.hh.mm.ss)] [-f filtername] [-t filename] -h IP of the OmniEngine to connect to. Default is localhost -d Domain of the OmniEngine to connect to. Only necessary if OmniEngine is part of a domain. -a If OmniEngine is linux, use "Third Party" -u Username (if OmniEngine is remote) -p Password (if OmniEngine is remote) -o Name of new packet file to put resulting packets into -s Start time of search (e.g. 10.07.01.12.00.00) -e End time of search (e.g. 10.07.01.12.00.01) -f Name of filter to use in search (e.g. HTTP or ARP) -t Name of file to search. Must use absolute path.
forensics -o test.pkt
This is the simplest form of the command. It will generate a file called test.pkt, containing all of the packets from all of the files on the localhost OmniEngine.
Example 2: Remote
forensics -h 10.4.2.54 -u user -p password -s 10.07.01.12.00.00 -e 10.07.01.12.00.01 -o test.pkt
This example connects to a remote OmniEngine and generates a file called test.pkt containing the packets for 1 second between the specified start and end times.
Example 3: Filter
forensics -f HTTP -o test.pkt
This example connects to a local OmniEngine and generates a file called test.pkt containing all of the packets that match the HTTP filter.
7/21/10 Version 18.104.22.168
- First released to MyPeek.