Hi Mohammed, Its been a while since I did this, so please forgive me if my suggestions don't work....
You may have a different version of the VIX libraries from the ones that were about when I used them.I have a few questions though: - Are you using ESXi free version, or ESX/VSphere full paid version? If you are using ESXi free then the revert binary won't compile. You need to use the script provided in the docuemnt instead. - If you are using ESX/VSphere paid version, then you need to edit the compile_revert_linux.sh script and change the library '.so' its looking for to a different one (section 5.10.2 in my doc). It tries to look for the libvmware-vix.so, whereas ESXi free uses libvix.so I remember that this part was the trickiest part of all. I had to make sure that the shell environment variables listed in section 5.8.2 were correctly set up before the the compile would take place. Hope that helps a bit? Cheers Terry MacDonald On 04/09/2012, Mohamed Hamed Al Rashdi <mohamed.alras...@ita.gov.om> wrote: > Dear Terry, > > I've started all over again following your guide, however ive faced erros > while compiling. > I've attached an image of how the error looks like, > > > > ________________________________ > From: capture-hpc-boun...@public.honeynet.org > [capture-hpc-boun...@public.honeynet.org] On Behalf Of Terry MacDonald > [terry.macdon...@gmail.com] > Sent: Tuesday, August 28, 2012 3:35 PM > To: General discussion list for Capture-HPC users > Subject: Re: [Capture-HPC] Capture-HPC VMWare error > > Hi Mohamed, > > I would recommend reading section 5 of the > How_to_compile_Capture-HPC_v1.2.doc if you are running Capture Server for > linux. That specific command is part of a replacement shell script that I > wrote for the revert binary that uses plink ssh client to connect from the > CaptureHPC server to the VMware server running the CaptureHPC clients, and > restarts them. Thats in section 5.10.3. But I would recommend running > through the complete section 5 as the commands were all written to work as a > whole. > > Also, if you;ve found some better ways to get around some of the issues I'd > love to hear about them. > > Cheers > > Terry MacDonald > > > > On 28 August 2012 21:56, Mohamed Hamed Al Rashdi > <mohamed.alras...@ita.gov.om<mailto:mohamed.alras...@ita.gov.om>> wrote: > Dear Terry, > > Thanks for your reply, however can you illustrate how to use a vin-cmd > command executed over ssh ? > > Thanks. > > From: > capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-boun...@public.honeynet.org> > [mailto:capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-boun...@public.honeynet.org>] > On Behalf Of Terry MacDonald > Sent: Tuesday, August 28, 2012 12:52 PM > To: General discussion list for Capture-HPC users > Subject: Re: [Capture-HPC] Capture-HPC VMWare error > > Hi Mohamed, > > You might be hitting a problem I remember having. VMWare changed the > licensing on their VIX libraries on later versions to limit the number of > API's you could use without a valid license. And that stopped the built-in > linux revert script from working. So I found a different way. It seemed that > you could use a vin-cmd command executed over ssh to get it to work. > > Its probably time to resend out the documentation I wrote early last year as > you might find it handy. The docs cover how to compile CaptureHPC v1.2, and > how to configure CaptureHPC v1.3. (I didnt get round to writing the how to > compile CaptureHPC v1.3 doc). But hopefully you find it useful. If you have > any corrections you find, it would be good if you could post the workarounds > here for everyone to use. > > Hope that helps > > Terry MacDonald > > > On 28 August 2012 20:31, Mohamed Hamed Al Rashdi > <mohamed.alras...@ita.gov.om<mailto:mohamed.alras...@ita.gov.om>> wrote: > Dear experts, > > I have been trying to implement the capture-HPC for a month now, and I’ve > had trouble initiating it. Been troubleshooting ever since 4 weeks. > > Here’s the latest result, > > Option added: server-listen-port => 7070 > Option added: server-listen-address => 10.30.10.234 > Option added: input_urls => input_urls_example.txt > CaptureServer: Listening for connections > Validating config.xml ... > config.xml successfully validated > Option added: capture-network-packets-benign => false > Option added: capture-network-packets-malicious => false > Option added: client-default => iexplorebulk > Option added: client-default-visit-time => 20 > Option added: client_inactivity_timeout => 60 > Option added: collect-modified-files => false > Option added: different_vm_revert_delay => 24 > Option added: group_size => 20 > Option added: revert_timeout => 120 > Option added: same_vm_revert_delay => 6 > Option added: send-exclusion-lists => false > Option added: terminate => true > Option added: vm_stalled_after_revert_timeout => 120 > Option added: vm_stalled_during_operation_timeout => 300 > ExclusionList: file - FileMonitor.exl: File not found > ExclusionList: process - ProcessMonitor.exl: File not found > ExclusionList: registry - RegistryMonitor.exl: File not found > [10.30.10.234:7070<http://10.30.10.234:7070>] VM added > [Aug 28, 2012 12:27:33 PM-10.30.10.234:7070-9616314] VMSetState: > WAITING_TO_BE_REVERTED > PARSING PREPROCESSOR > n is null > PARSING POSTPROCESSOR > n is null > Got 0 in URL queue. > Waiting for input URLs... > [Aug 28, 2012 12:27:35 PM-10.30.10.234:7070-9616314] VMSetState: REVERTING > [Aug 28, 2012 12:27:36 PM 10.30.10.234:7070-9616314] VMware error 2 > [Aug 28, 2012 12:27:36 PM-10.30.10.234:7070-9616314] VMSetState: ERROR > Reverting different VM...waiting considerably > [Aug 28, 2012 12:28:00 PM-10.30.10.234:7070-9616314] Finished processing VM > item: revert > Waiting for input URLs... > > I’ve been trying to figure out the “VMware error2” problem, however I was > unable to locate anything useful. > > Any help? > > Thanks. > > > Regards > > Mohamed Hamed Al-Rashdi > Digital Forensics Specialist > Oman National CERT | > www.cert.gov.om<https://webmail.ita.gov.om/owa/UrlBlockedError.aspx> > > > Information Technology Authority > Sultanate Of Oman > > | +968 24166743<tel:%2B968%2024166743> | P.O.Box: 1807 > > > | +968 24166818<tel:%2B968%2024166818> | P.C: 130 | Azaibah > > > > > mohamed.alras...@ita.gov.om<mailto:mohamed.alras...@ita.gov.om> | > www.ita.gov.om<http://www.ita.gov.om/> > > > > > > ________________________________ > > The information contained in this message and any file and/or attachment > transmitted herewith is confidential and may be legally privileged. It is > intended solely for the use of the addressee and must not be disclosed to or > used by anyone other than the addressee. If you receive this transmission by > error, please notify the sender immediately by reply e-mail and destroy the > original transmission and its attachments. If you are not the intended > recipient, please be advised that viewing, copying, forwarding, printing and > disseminating any information related to this mail is prohibited and you > should not take any action based on the content of this mail and/or the > attachments. > > _______________________________________________ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org<mailto:Capture-HPC@public.honeynet.org> > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > ________________________________ > > The information contained in this message and any file and/or attachment > transmitted herewith is confidential and may be legally privileged. It is > intended solely for the use of the addressee and must not be disclosed to or > used by anyone other than the addressee. If you receive this transmission by > error, please notify the sender immediately by reply e-mail and destroy the > original transmission and its attachments. If you are not the intended > recipient, please be advised that viewing, copying, forwarding, printing and > disseminating any information related to this mail is prohibited and you > should not take any action based on the content of this mail and/or the > attachments. > > _______________________________________________ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org<mailto:Capture-HPC@public.honeynet.org> > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > ________________________________ > > The information contained in this message and any file and/or attachment > transmitted herewith is confidential and may be legally privileged. It is > intended solely for the use of the addressee and must not be disclosed to or > used by anyone other than the addressee. If you receive this transmission by > error, please notify the sender immediately by reply e-mail and destroy the > original transmission and its attachments. If you are not the intended > recipient, please be advised that viewing, copying, forwarding, printing and > disseminating any information related to this mail is prohibited and you > should not take any action based on the content of this mail and/or the > attachments. > -- Terry MacDonald _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
