Network Capture Tools

The network_capture tool server provides packet capture (tcpdump) and PCAP analysis (tshark) capabilities through safe subprocess execution.

Linux Capability Requirements

Packet capture requires the CAP_NET_RAW capability. Without it, tcpdump will fail with a permission error.

Docker (recommended)

The docker-compose.yml service already declares the capability:

services:
  agent-network-analyzer:
    cap_add:
      - NET_RAW

Bare-metal / VM deployment

Grant the capability to the tcpdump binary directly:

sudo setcap cap_net_raw+eip $(which tcpdump)

Or run the AuroraSOC agent process with ambient capabilities:

sudo capsh --caps="cap_net_raw+eip cap_setpcap,cap_setuid,cap_setgid+ep" \
  --keep=1 --user=aurorasoc --addamb=cap_net_raw \
  -- -c "AGENT_NAME=NetworkAnalyzer AGENT_PORT=9016 AGENT_TAGS=ndr,network,readonly python -m aurorasoc.agents.generic_server"

Verification

# Check that tcpdump has the capability
getcap $(which tcpdump)
# Expected: /usr/bin/tcpdump cap_net_raw=eip

# Quick smoke test (capture 5 packets on loopback)
tcpdump -i lo -c 5 -w /dev/null

Security Notes

Capture files are written to a configurable directory (default /tmp/aurorasoc-captures). Ensure the directory has appropriate permissions.
BPF filter expressions are validated before being passed to tcpdump. Shell metacharacters are rejected.
tshark analysis uses create_subprocess_exec (no shell) to prevent command injection.

Linux Capability Requirements​

Docker (recommended)​

Bare-metal / VM deployment​

Verification​

Security Notes​

Linux Capability Requirements

Docker (recommended)

Bare-metal / VM deployment

Verification

Security Notes