There are many cases where it is not possible to transfer files off of a switch that is being analyzed. One unique opportunity that Cumulus Linux offers is the ability to collect this information via a text console; even for files which do not contain text. This document highlights a technique to share smaller (~2MB or less) packet captures or
cl-support files in text-based form using a console to extract the packet capture from the isolated network device.
Networks isolated by an air gap are common. Unfortunately, this necessary security measure can impede rapid troubleshooting of network issues when packet captures need to be collected and exchanged from the affected devices.
An air gap or air wall is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured LAN.
By using the process below, you can encode a collected Packet Capture (PCAP) or
cl-support file into base64 encoding, which can be exchanged across the air gap and then decoded back into the original file.
Note: You can get the best results when performing this process with files that have already been compressed, although it is not required.
- Collect traffic of interest into a Packet Capture (PCAP) file using
tcpdumpor generate a
cl-supportfile with the
- Encode the PCAP (or cl-support) file into base64 encoding:
[email protected]$ base64 ./traffic.pcap obLD1AACAAQAAAAAAAAAAAAA//8AAAAB7gAAABCAAAAQkQ4OQBJzEQ4OQBKTQgARcAA --snip-- QkQ4OQBJAxgAAAAFAAAAAwAD0JAAA9CQAAAAAA==
- Copy the encoded base64 text across the air gap and insert the text into a text file on another Linux system.
- Re-encode the base64 textfile into the original PCAP file:
[email protected]$ base64 --decode ./textfile.txt > traffic.pcap
- Analyze the traffic capture in whatever tool is preferred:
[email protected]$ wireshark traffic.pcap