Feature to ability monitor traffic between cape result server and sandbox.

[piolug93]

No description provided.

[doomedraven]

fix conflicts plz, and do not modify conf/routing.conf those config shouldnt be touched, only .default

[doomedraven]

and what is adventage of using nat instead of hostonly?

[piolug93]

Okay will resolve conflicts. Hostonly is still used, while MASQUERADE is not used in iptables. Another feature is the use of vrf so that traffic to resultserver passes by default gateway instead of through the interface lo.

[nbargnesi]

Great idea @piolug93. There's a lot of interesting stuff going on behind the scenes - alongside the result server traffic, agent communication and layer 2 traffic would be helpful to expose in analyses.

Did you consider adding an auxiliary module alongside the existing sniffer?

The existing sniffer heavily filters traffic (also #L139, auxiliary.conf) - having the ability to monitor result server, agent, and layer 2 traffic with auxiliary module and write out an analysis-debug.pcap to capture it all would be fantastic!

[piolug93]

Good to know about it, I had no idea about it. I haven't plans for write auxiliary module because i no need see that traffic in CAPE.