n2disk is a network traffic recorder from the brilliant engineering minds at ntop. With n2disk you can capture full-sized network packets at multi-Gigabit rate, and write them into (PCAP) files without any pack loss for later analysis. Those who are familiar with PCAP files will most likely also be familiar with the free and open source packet analyzer, Wireshark. Today we will discuss how to integrate n2disk with an alternative solution, the online packet capture analyzer called CloudShark.
CloudShark is available as a VM or a physical appliance that can be installed either on a local network or on the cloud. Once you have a CloudShark instance up and running it can be linked to an n2disk appliance by navigating to System > Cloudshark. For the URL field populate your Cloudsharks instance URL. Since we are using the web version we simply enter https://www.cloudshark.org. The Security checkbox toggles the ability to use insecure https connections. For security reasons we advise that this box remain unchecked. The API Token field will be populated with a 32-character string generated from CloudShark (https://support.cloudshark.io/api/).
The last two fields that need to be populated are the CloudShark Username and Password fields. Please note that the password will be saved in plain-text and unencrypted. Once complete click the Save changes button to confirm.
Testing the Integration
We can now test the integration by navigating to Applications > n2disk > (interface) > Files, and clicking the Upload to CloudShark button. Please note that with large files this may take some time. The nBox performs this operation in the background and notifies you when completed.
During this step a misconfiguration of the integration could result in the upload failing. We can troubleshoot this by logging on to the CLI of your n2disk host and running the following command
curl -k -F file=@<pcap-file> https://<cloudshark-host>/api/v1/<api-key>/upload
A successful upload will return a result like:
Now we can test again in the nBox web UI. If the upload still fails at this point then we will need to check our mount options for our storage drive. Per the Disk Partitioning and Formatting documentation located here (https://www.ntop.org/guides/n2disk/filesystem.html) the following mount options are required:
For XFS filesystems: noatime,nodiratime,attr2,nobarrier,logbufs=8,logbsize=256k,osyncisdsync
For EXT4 filesystems: rw,user,auto,discard
Lastly, please ensure that the permissions are correct for the storage directory. Both the owner and the group should be n2disk, and the file permissions should be 755 in octal notation
With these common integration pitfalls resolved we should now be able to login to cloudshark and see our uploaded pcap file.