You need to run Zeek (formerly known as
Bro), version 3.0 minimum (tested with 3.0 and 3.1) with the option
-b and the location of the
passiverecon/bare.zeek file. If you
want to run it on the
eth0 interface, for example, run (replace
/usr/share/ivre by the appropriate location; use
'import ivre.config; print(ivre.config.guess_prefix())' if you
cannot find it):
$ mkdir logs $ sudo LOG_PATH=logs/passiverecon \ > zeek -b /usr/share/ivre/zeek/ivre/passiverecon/bare.zeek -C -i eth0
If you want to run it on the
capture file (
capture needs to a
PCAP file), run:
$ mkdir logs $ LOG_PATH=logs/passiverecon \ > zeek -b /usr/share/ivre/zeek/ivre/passiverecon/bare.zeek -r capture
This will produce log files in the
logs directory. You need to run a
ivre passivereconworker to process these files. You can try:
$ ivre passivereconworker --directory=logs
This program will not stop by itself. You can
kill it, it will
stop gently (as soon as it has finished to process the current file).
You can also send the data from
zeek to the database without using
$ zeek -b /usr/share/ivre/zeek/ivre/passiverecon/bare.zeek [option] \ > | ivre passiverecon2db
You need to install p0f v3, and
use it with the option
-o to produce an output file. Then, provide
that output file to
For now, only
syn+ack modes are supported.
Enjoying the results¶
You have several options, depending on what you want to do:
Command line interfaces (see also Passive network analysis in the screenshots gallery):
ivre ipinfotool, for any passive data.
ivre iphosttool, for Passive DNS data (see Your own Passive DNS service).
Python API: use the
db.passiveobject of the
To show everything stored about an IP address or a network:
$ ivre ipinfo 22.214.171.124 $ ivre ipinfo 126.96.36.199/24
See the output of
ivre help ipinfo and
ivre help iphost.
To use the Python module, run for example:
$ python >>> from ivre.db import db >>> db.passive.get(db.passive.flt_empty)
For more, run
help(db.passive) from the Python shell.