nsacyber / grassmarlin Goto Github PK

i can't find core.fingerprint3.Fingerprint,but the code need this. was it not been write yet ?

Thanks for the great tool ! I find it very useful on Windows.

On the other hand, on Linux, I have some troubles installing it. In fact, after downloading the source file, I can't compile and install the program. There's no "configure.ac" or "configure.in" files and a "make" command or "./configure" doesn't work.

I eventually run an autogen.sh script and it says that : "the GNU Build System is at least not used in this directory" (I was in the directory of the Grassmarlin source file) implying that it's not compatible with GNU System.

The guide says that grassmarlin is available on some version of linux but i can't seem to find a way to install it. Do you have a solution to this ? (I've experimented installation on ubuntu 14.04)

(sorry if my expression is bad, english is not my native language)

I am able to import the configs (no errors) but there is no output shown on the Graph tab. Can you supply a working example of the Cisco configs that work. Does it for for a Cisco 2950?

Thanks

I have successfully imported my pcaps but the topology maps are not populating. Any help will be greatly appreciated. I feel like I am missing a step but it is not clearly stated in the documentation.

There is probably a better way to communicate this, but I couldn't find it.

Just downloaded the Windows Full x64 and MSI versions however the hashes do not match.
It looks like the hash db page needs to be updated?
https://github.com/iadgov/GRASSMARLIN/blob/master/FileHash.md

Are their plans to support a batch mode w/o a GUI?

For our project, we'd like to pass a file or Unix pipe containing captured pcap data to GrassMarlin and have GrassMarlin save its output to a file named on the command line.

Thanks for your work on GrassMarlin!

the build.xml for JNWizard trys to import build-impl.xml but the build-impl.xml was not included with the source.

Thanks

When a report is generated by GRASSMARLIN, e.g. Logical Nodes Report, some of the data can contain carriage returns. A common example of this is the operating system field which often contains multiple entries separated by a carriage return. When the data is exported to a CSV file the carriage returns are included which causes formatting issues when viewing in a spreadsheet package such as Excel. To fix the file the CSV file has to be manually edited to either remove the carriage returns or to escape the data by surrounding the data with quotes.

Suggest that the static method fieldFromString in Csv.java is updated to escape a field that contains carriage returns.

Thanks for a great application.

Some Class remind Import org.apache.commons.io.FileUtils; And import org.apache.commons.lang3.ArrayUtils;

but i can't find some likes apache-*.jar

i hope someone can tell me how to find this jar file

I need some help in determining if there is anyone checking GRASSMARLIN for potential security vulnerabilities once deployed on a system? There haven't been any updates since Aug 4, 2017. A search of the NVD comes up with zero CVEs. Is NSA the software provider and software source? Can I assume that there haven't been any security updates or patches since 2017 since none are published?

Hello,
i'm using grassmarlin 3.2.1 on Windows 10, x64 version.
I've imported several .pcap files and saved the session into a gm3 file, just to avoid re-importing again those pcap files next time.
When I try to open that session again I get a "Error parsing session information" in grassmarlin message console and the logical view is empty.

This is the output of the dos window:

Exception in thread "JavaFX Application Thread" java.lang.IndexOutOfBoundsException: Index: 46, Size: 0
        at java.util.ArrayList.rangeCheck(Unknown Source)
        at java.util.ArrayList.get(Unknown Source)
        at core.document.serialization.Grassmarlin_3_2.layoutGraphNode(Grassmarlin_3_2.java:1220)
        at core.document.serialization.Grassmarlin_3_2$TabLoadHandler.endElement(Grassmarlin_3_2.java:1096)
        at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(Unknown Source)
        at com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(Unknown Source)
        at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(Unknown Source)
        at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(Unknown Source)
        at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(Unknown Source)
        at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
        at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
        at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
        at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source)
        at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(Unknown Source)
        at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
        at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl.parse(Unknown Source)
        at core.document.serialization.Grassmarlin_3_2.loadTab(Grassmarlin_3_2.java:924)
        at core.document.serialization.Grassmarlin_3_2.lambda$loadDocumentSax$306(Grassmarlin_3_2.java:132)
        at com.sun.javafx.application.PlatformImpl.lambda$null$172(PlatformImpl.java:295)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.sun.javafx.application.PlatformImpl.lambda$runLater$173(PlatformImpl.java:294)
        at com.sun.glass.ui.InvokeLaterDispatcher$Future.run(InvokeLaterDispatcher.java:95)
        at com.sun.glass.ui.win.WinApplication._runLoop(Native Method)
        at com.sun.glass.ui.win.WinApplication.lambda$null$147(WinApplication.java:177)
        at java.lang.Thread.run(Unknown Source)

any help?

I am noticing an issue of seeing a significantly different network when importing the same packet capture, saved as a .pcap and then as a .pcapng. I have tried several packet captures with the same results. The live capture is being done with Wireshark and being saved originally as .pcapng and then later converting it to a .pcap. The .pcap file import shows significantly more information versus the .pcapng.

Any thoughts? Thanks.

please forgive my stupid question, but I am confused about how to build this project. After reading this project, no project-describe file or something like how-to-build-and-run.md was found. Will you please guide how to compile and build this project, so that I can do some modification to fit my necessary. THANKS A LOT!

Paths for Wireshark, Text Editor and PDF reader don't survive program exit / restart.

Second issue: there is no browsing to get the path to "Preferred text editor" or "Preferred text editor." (See "Set" when what we want is "Find," as with the Wireshark path field). Also, the word "Find" is typically reserved for search-like functionality, whereas "Browse..." is the most idiomatic label for the functionality the "Find" button provides.

I understand this is a tool meant for ICS / SCADA networks, but I have had some luck using it to map other network types. A few months ago I utilized it to import ~200GB of packet capture, and while the system took all the data and did not crash, there were a lot of nodes that did not appear during this import. I narrowed the traffic down to specific ports (show all SSH traffic, etc) and this identified additional hosts.

Is this a known issue, or is this because it is data pulled from a non-ICS/SCADA network?

I am sure it is operator error but I am applying the desktop file verbatim and it shows no such file.
Any assistance is greatly appreciated.

I've read the .pdf and looked at the .pptx, and looked through the files. I must be missing something and feel dumb even asking, but how do I start GRASSMARLIN?

I would like to use API to control Grassmarlin's start and end. Where is the interface

Hi there,

I am running Ubuntu 16.04, and have Wireshark 2.2.6 installed.
When starting Grassmarlin (3.2.1) it states that "Wireshark is NOT installed..."

It appears that I don't have the correct version of Wireshark? Have tried changing the location of Wireshark in Preferences, but no luck (either choosing the wrong file, or wrong version?)

I cannot pull up a physical map from the pcaps that I have imported.

Steps to reproduce:

1. Setup a SPAN session a Cisco switch with an 802.1q trunk as the source and with the destination option 'encapsulation replicate'

interface GigabitEthernet1/0/1
 description A Trunk Port
 switchport mode trunk
end

monitor session 1 source interface Gi1/0/1
monitor session 1 destination interface Gi1/0/2 encapsulation replicate

2. Use dumpcap to capture that data.
3. Load that pcap in grassmarlin and notice that either no or very few hosts are listed. The only hosts listed are those that passed unencapsulated data (eg for spanning tree or CDP)

Hello,

I am trying to run grassmarlin on Centos 7. I am able to install, but the program crashes every time, prompting me to check the logs. I tried the previous three releases.

Any suggestions? I can't seem to find your logs anywhere either.

The error information:
GM3\src\core\fingerprint\PayloadFunctions.java:11: error: package util.parser doesn't exit.
import util.parser.CalcLexer;
GM3\src\core\fingerprint\PayloadFunctions.java:11: error: package util.parser doesn't exit.
import util.parser.CalcParser;

Thanks for your help!

I believe there is an issue when writing a fingerprint to extract some data from the end of a packet. The schema for an Extract node is that it should contain a From and a To attribute. The From indicates the index into the data where the extraction begins and the To attribute indicates the index up to which data is extracted. E.g. If the packet contains a stream of numbers...
0123456789
Then to extract the first character the Extract XML should be
<Extract From="0" To="1" ...>
To extract the first two characters the Extract XML should be
<Extract From="0" To="2" ...>
And then to extract the entire string the Extract XML should be
<Extract From="0" To="10" ...>
This XML instructs that the data from index 0 to 9 will be extracted. "To" means up to, but not including index 10. This is fine. However, the extract function in PacketData.java requires that the To value must be less than the payload size. This test always fails and so no data is extracted. I hope this makes sense.

Hi,
I wanted to know if there is a terminal/cmd version for the tool like tshark for wireshark for example?

Thank you

"Unable to initialize JNetPCap,packet capture functionality will be disabled",why?How I can solve this problem?