April 27, 2018
by Lindsay Hill
Packet Captures are a necessary evil when you need to prove network innocence. But they’re tedious to configure, collect & analyze. What if you could simplify the setup, collection and viewing? That’s what we’ve done here, combining StackStorm, Extreme Insight Architecture, CloudShark, and of course Slack.
Check out the video here – we show entering some commands in Slack, which triggers a packet capture on multiple switches. The PCAPs are automatically uploaded to CloudShark, so we can view the packets in our browser:
Read on for more about how to set this up.
There’s a few key technologies in use here:
Plus of course StackStorm, which is the operational ‘glue’, stitching together these elements, co-ordinating inputs, actions and outputs across our environment.
Here’s the basics for how to set this up:
HUBOT_TOKEN. Edit the
/opt/stackstorm/chatops/st2chatops.envfile on your StackStorm server, and add that
HUBOT_ADAPTER=slack, and restart the st2chatops service. Invite the bot to your Slack channel, and it should start responding to
authorized_keyson the Guest VM. Add entries to DNS or your hosts file so that you can ssh from your StackStorm server to the switches and their guest VM. Use the format
switch_name-tpvmfor the guest VM DNS entries.
Install the st2_demos pack with
st2 pack install https://github.com/StackStorm/st2_demos. This contains the alias file
/opt/stackstorm/packs/st2_demos/aliases/multicap.yaml, and the workflow metadata and definitions, /opt/stackstorm/packs/st2_demos/actions/multicap.yaml and
/opt/stackstorm/packs/st2_demos/actions/workflows/multicap.yaml. You can of course edit these files, and move them to other packs.
Install the clicrud and CloudShark packs with
st2 pack install clicrud cloudshark.
Configure the CloudShark pack with
st2 pack configure cloudshark – you will need to use your API key from above.
/opt/stackstorm/configs/clicrud.yaml, and configure as required.
sudo st2ctl reload --register-all
You should now be ready to test it out. From Slack, run
If this is responding, try running a capture. Something simple like
multicapture 'port 179' on switches slx1,slx2.
You can get more complicated, by adding
count=20. If you don’t specify a timeout or count, it will use the default maximums of 300s or 100 packets.
This workflow can be improved, and made more robust. Potential improvements include: