Hi all, I've been having some problems getting the current version of Capture (capture-server-2.1.0-300) up and running on a machine running the current version of Kubuntu and the latest VMWare Server (VMware-server-1.0.6-91891.tar.gz).
I've documented the server build process here: http://www.ukhoneynet.org/2008/07/28/compiling-capture-hpc-on-vmware-server-106/ My honeypot is WinXP SP2 with the default Capture install (capture-client-2.1.0-300), as per the Readme file. I've temporarily disabled iptables on the server and I've checked client/server connectivity by telnetting to the relevant ports. The usernames and passwords also work when tested locally and permissions seem correct. Server IP = 192.168.0.144 Honeypot VM IP = 192.168.0.21 Attempting to process the sample URLs results in this behaviour: [EMAIL PROTECTED]:~/client_honeypots/capture-server-2.1.0-300$ /usr/lib/jvm/java-6-sun/bin/java -Djava.net.preferIPv4Stack=true -jar CaptureServer.jar -s 192.168.0.144:7070 -f input_urls_example.txt Option added: server-listen-port => 7070 Option added: server-listen-address => 192.168.0.144 Option added: input_urls => input_urls_example.txt CaptureServer: Listening for connections Validating config.xml ... config.xml successfully validated Option added: capture-network-packets-benign => false Option added: capture-network-packets-malicious => false Option added: client-default-visit-time => 10 Option added: collect-modified-files => false Option added: p_m => 1 Option added: send-exclusion-lists => false ExclusionList: file - FileMonitor.exl: File not found ExclusionList: process - ProcessMonitor.exl: File not found ExclusionList: registry - RegistryMonitor.exl: File not found [192.168.0.144:902] VM added [Jul 30, 2008 12:31:27 PM-192.168.0.144:902-3374351] VMSetState: WAITING_TO_BE_REVERTED [Jul 30, 2008 12:31:27 PM-192.168.0.144:902-3374351] VMSetState: REVERTING Hostname: 192.168.0.144 Username: david Password: dummypassword VMPath: /var/lib/vmware/Virtual Machines/Capture1/Capture1.vmx Guest Username: Administrator Guest Password: client1 Guest Cmd: cmd.exe Guest Options: /K C:\Progra~1\Capture\CaptureClient.bat -s 192.168.0.144 -p 7070 -a 27687351 -b 3374351 VIX Error on connect in connect: One of the parameters was invalid E Disconnected [Jul 30, 2008 12:31:29 PM 192.168.0.144:902-3374351] VMware error 255 [Jul 30, 2008 12:31:29 PM-192.168.0.144:902-3374351] VMSetState: ERROR However, if I manually initiate Capture on the client honeypot VM by running: C:\Progra~1\Capture\CaptureClient.bat -s 192.168.0.144 -p 7070 -a 27687351 -b 3374351 I then get the following in the running Capture server output: <connect vm-server-id="27687351" vm-id="3374351"/> [Jul 30, 2008 12:32:24 PM-192.168.0.144:902-3374351] ClientSetState: CONNECTED [Jul 30, 2008 12:32:24 PM-192.168.0.144:902-3374351] ClientSetState: WAITING [Jul 30, 2008 12:32:24 PM-192.168.0.144:902-3374351] VMSetState: RUNNING <visit-event identifier="-2096107695" program="iexplore" time="30/7/2008 12:33:3.45" type="start" malicious="0"><item url="http%3a%2f%2fwww.google.com" program="iexplore" major-error-code="0" minor-error-code="0" time="30/7/2008 12:33:3.45" visited="0"></item></visit-event> [Jul 30, 2008 12:32:25 PM-192.168.0.144:902-3374351] Visiting group -2096107695 UrlSetState: VISITING [Jul 30, 2008 12:32:25 PM-192.168.0.144:902-3374351] ClientSetState: VISITING <pong/> [Jul 30, 2008 12:32:27 PM-192.168.0.144:902-3374351] Got pong <visit-event identifier="-2096107695" program="iexplore" time="30/7/2008 12:33:21.342" type="finish" malicious="0"><item url="http%3a%2f%2fwww.google.com" program="iexplore" major-error-code="0" minor-error-code="0" time="30/7/2008 12:33:21.342" visited="1"></item></visit-event> [Jul 30, 2008 12:32:36 PM-192.168.0.144:902-3374351] Visited group -2096107695 BENIGN UrlSetState: VISITED [Jul 30, 2008 12:32:36 PM-192.168.0.144:902-3374351] ClientSetState: WAITING <visit-event identifier="-126122049" program="iexplore" time="30/7/2008 12:33:21.702" type="start" malicious="0"><item url="http%3a%2f%2fwww.google.de" program="iexplore" major-error-code="0" minor-error-code="0" time="30/7/2008 12:33:21.702" visited="0"></item></visit-event> [Jul 30, 2008 12:32:37 PM-192.168.0.144:902-3374351] Visiting group -126122049 UrlSetState: VISITING [Jul 30, 2008 12:32:37 PM-192.168.0.144:902-3374351] ClientSetState: VISITING <pong/> [Jul 30, 2008 12:32:37 PM-192.168.0.144:902-3374351] Got pong <visit-event identifier="-126122049" program="iexplore" time="30/7/2008 12:33:36.139" type="finish" malicious="0"><item url="http%3a%2f%2fwww.google.de" program="iexplore" major-error-code="0" minor-error-code="0" time="30/7/2008 12:33:36.139" visited="1"></item></visit-event> [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] Visited group -126122049 BENIGN UrlSetState: VISITED [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] ClientSetState: WAITING <visit-event identifier="961326393" program="iexplore" time="30/7/2008 12:33:36.295" type="start" malicious="0"><item url="http%3a%2f%2fwww.google.fr" program="iexplore" major-error-code="0" minor-error-code="0" time="30/7/2008 12:33:36.295" visited="0"></item></visit-event> [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] Visiting group 961326393 UrlSetState: VISITING [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] ClientSetState: VISITING <pong/> [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] Got pong <visit-event identifier="961326393" program="iexplore" time="30/7/2008 12:33:54.467" type="finish" malicious="0"><item url="http%3a%2f%2fwww.google.fr" program="iexplore" major-error-code="0" minor-error-code="0" time="30/7/2008 12:33:54.467" visited="1"></item></visit-event> [Jul 30, 2008 12:32:53 PM-192.168.0.144:902-3374351] Visited group 961326393 BENIGN UrlSetState: VISITED [Jul 30, 2008 12:32:53 PM-192.168.0.144:902-3374351] ClientSetState: WAITING <visit-event identifier="-1716674727" program="iexplore" time="30/7/2008 12:33:54.514" type="start" malicious="0"><item url="http%3a%2f%2fwww.google.it" program="iexplore" major-error-code="0" minor-error-code="0" time="30/7/2008 12:33:54.514" visited="0"></item></visit-event> [Jul 30, 2008 12:32:54 PM-192.168.0.144:902-3374351] Visiting group -1716674727 UrlSetState: VISITING [Jul 30, 2008 12:32:54 PM-192.168.0.144:902-3374351] ClientSetState: VISITING <pong/> [Jul 30, 2008 12:32:58 PM-192.168.0.144:902-3374351] Got pong <visit-event identifier="-1716674727" program="iexplore" time="30/7/2008 12:34:11.30" type="finish" malicious="0"><item url="http%3a%2f%2fwww.google.it" program="iexplore" major-error-code="0" minor-error-code="0" time="30/7/2008 12:34:11.30" visited="1"></item></visit-event> [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] Visited group -1716674727 BENIGN UrlSetState: VISITED [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] ClientSetState: WAITING <visit-event identifier="1053184499" program="iexplore" time="30/7/2008 12:34:11.92" type="start" malicious="0"><item url="http%3a%2f%2fwww.google.co.nz" program="iexplore" major-error-code="0" minor-error-code="0" time="30/7/2008 12:34:11.92" visited="0"></item></visit-event> [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] Visiting group 1053184499 UrlSetState: VISITING [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] ClientSetState: VISITING <pong/> [Jul 30, 2008 12:33:07 PM-192.168.0.144:902-3374351] Got pong <visit-event identifier="1053184499" program="iexplore" time="30/7/2008 12:34:25.811" type="finish" malicious="0"><item url="http%3a%2f%2fwww.google.co.nz" program="iexplore" major-error-code="0" minor-error-code="0" time="30/7/2008 12:34:25.811" visited="1"></item></visit-event> [Jul 30, 2008 12:33:11 PM-192.168.0.144:902-3374351] Visited group 1053184499 BENIGN UrlSetState: VISITED [Jul 30, 2008 12:33:11 PM-192.168.0.144:902-3374351] ClientSetState: WAITING <pong/> [Jul 30, 2008 12:33:17 PM-192.168.0.144:902-3374351] Got pong <pong/> [Jul 30, 2008 12:33:27 PM-192.168.0.144:902-3374351] Got pong <pong/> [Jul 30, 2008 12:33:37 PM-192.168.0.144:902-3374351] Got pong <pong/> [Jul 30, 2008 12:33:47 PM-192.168.0.144:902-3374351] Got pong <pong/> [Jul 30, 2008 12:33:57 PM-192.168.0.144:902-3374351] Got pong <pong/> [Jul 30, 2008 12:34:07 PM-192.168.0.144:902-3374351] Got pong With everything working as expected. Any ideas as to why I can't automatically revert the VM and launch the Capture client, or what causes the "VIX Error on connect in connect: One of the parameters was invalid" error? Thanks, David -- David Watson UK Honeynet Project www.ukhoneynet.org [EMAIL PROTECTED] _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
