Hi all,
My Setup:
System specs:
OS: Debian (etch)
VMWare: VMware Server 1.0.4 build-56528
Capture Server: capture-server-2.1.0-300
Revert was rebuilt from source as I recieved a "Floating Point Exception"
when executing the packaged one.
Command used to invoke capture-server:
java -Djava.net.preferIPv4Stack=true -jar
/home/<user>/capture-server-2.1.0-300/CaptureServer.jar -s
192.168.1.80:7070-f input_urls_example.txt
Error received:
Option added: server-listen-port => 7070
Option added: server-listen-address => 192.168.1.80
Option added: input_urls => input_urls_example.txt
CaptureServer: Listening for connections
Validating config.xml ...
config.xml successfully validated
Option added: capture-network-packets-benign => false
Option added: capture-network-packets-malicious => false
Option added: client-default-visit-time => 10
Option added: collect-modified-files => false
Option added: p_m => 0.019
Option added: send-exclusion-lists => false
ExclusionList: file - FileMonitor.exl: File not found
ExclusionList: process - ProcessMonitor.exl: File not found
ExclusionList: registry - RegistryMonitor.exl: File not found
[192.168.1.80:902] VM added
[May 9, 2008 3:10:53 PM-192.168.1.80:902-23764290] VMSetState:
WAITING_TO_BE_REVERTED
[May 9, 2008 3:10:53 PM-192.168.1.80:902-23764290] VMSetState: REVERTING
VIX Error on reverting to snapshot: The system returned an error.
Communication with the virtual machine may have been interrupted
E Disconnected
[May 9, 2008 3:10:55 PM 192.168.1.80:902-23764290] VMware error 255
[May 9, 2008 3:10:55 PM-192.168.1.80:902-23764290] VMSetState: ERROR
AND
./revert 192.168.1.80 <username> <password>
"/var/lib/vmware/VirtualMachines/XPProSP2-1/Windows XP Professional.vmx"
"Administrator" "<password>" "cmd.exe" "/K C:\program
files\capture\captureclient.bat -s 192.168.1.80 -p 7070 -a 1 -b 2"
VIX Error on reverting to snapshot: The system returned an error.
Communication with the virtual machine may have been interrupted
E Disconnected
*** username and password replaced by <username> and <password>
repsectively, obviously :) ***
A tcpdump shows traffic between the vmware-authd service and
capture-server/revert:
---snip ---
15:10:19.596533 IP 192.168.1.80.60050 > 192.168.1.80.vmware-authd: S
3987959762:3987959762(0) win 32792 <mss 16396,sackOK,timestamp 123508
0,nop,wscale 7>
15:10:19.630124 IP 192.168.1.80.vmware-authd > 192.168.1.80.60050: S
3994695723:3994695723(0) ack 3987959763 win 32768 <mss
16396,sackOK,timestamp 123508 123508,nop,wscale 7>
15:10:19.630160 IP 192.168.1.80.60050 > 192.168.1.80.vmware-authd: . ack 1
win 257 <nop,nop,timestamp 123508 123508>
15:10:19.601887 IP 192.168.1.80.vmware-authd > 192.168.1.80.60050: P
1:87(86) ack 1 win 256 <nop,nop,timestamp 123509 123508>
15:10:19.601935 IP 192.168.1.80.60050 > 192.168.1.80.vmware-authd: . ack 87
win 257 <nop,nop,timestamp 123509 123509>
--- snip ---
I am able to connect to the captures-server, via the vmware-console, both
from localhost and remotely using the info in config.xml:
--- snip ---
<exclusion-list monitor="file" file="FileMonitor.exl" />
<exclusion-list monitor="process" file="ProcessMonitor.exl" />
<exclusion-list monitor="registry" file="RegistryMonitor.exl" />
<virtual-machine-server type="vmware-server" address="192.168.1.80"
port="902"
username="<user>" password="<password>">
<virtual-machine
vm-path="/var/lib/vmware/VirtualMachines/XPProSP2-1/Windows XP
Professional.vmx"
client-path="C:\Program
Files\Capture\CaptureClient.bat"
username="<user>"
password="<password>"/>
-- snip ---
*** username and password replaced by <username> and <password>
repsectively, obviously :) ***
Must the Guest OS be in an specifc state (on, suspended, off)?
Any ideas or suggestions?
Thanks in advance
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc
