Skip to content

Notice

This guide is for the original release of AQtive Guard. For the current AQG SaaS platform, go to the AQtive Guard User Guide.

Getting started capturing live network traffic

The yanadump tool provides an alternative to PCAP analysis. yanadump listens on a network interface and captures handshake information in a trace file (.cst) formatted for analysis in AQtive Guard.

yanadump functions as a network probe, enabling live network traffic monitoring through two deployment methods. It must be deployed on a machine that either sends and receives traffic or receives forwarded traffic for analysis:

  • Direct traffic monitoring: Listen to traffic from the network interface of an endpoint, such as a Linux server.
  • Traffic mirroring: Use cloud-native traffic mirroring to monitor forwarded traffic from cloud-based assets or in a hybrid environment.

Direct traffic monitoring (Linux)

To dump handshake information from a live interface, run:

$ yanadump -i interface0 -o /path/to/out.cst

The yanadump binary requires both the CAP_NET_ADMIN and CAP_NET_RAW Linux capabilities to capture packets. This can be achieved by doing one of the following:

  • Run the yanadump tool as root (not recommended)
  • Add the following capabilities to the yanadump binary:
$ sudo setcap 'cap_net_raw+eip cap_net_admin+eip' /path/to/yanadump

Stopping a live capture

To run the yanadump tool for a predetermined amount of time, use the unix timeout command:

timeout 1h yanadump -i interface0 -o mytrace.cst

In this example, the yanadump command will be terminated after running for one hour.

Continuous monitoring

Deploy yanadump to regularly push jsonl files to AQtive Guard on a recurring schedule (such as daily) for ongoing monitoring of your network cryptography.

To continuously analyze machine traffic, run yanadump for a specified duration and then upload the generated trace file to AQtive Guard in a loop. Ensure the machine uploading the trace has access to the AQtive Guard API.

The following script provides an example workflow:

Bash
export CRYPTOSENSE_API_KEY=secret
while true; do
    TRACE_FILE=$(mktemp trace-XXXXXX.cst)
    timeout 24h yanadump -i interface0 -o "$TRACE_FILE"
cs-api upload-trace [...] --trace-file "$TRACE_FILE" && rm "$TRACE_FILE"
done

In this example,

  • mktemp, timeout, and rm are standard unix binaries
  • cs-api is an API client provided by SandboxAQ

Yanadump traffic mirroring strategy

Using cloud-native traffic mirroring, yanadump extends monitoring to cloud assets, enabling seamless coverage in hybrid environments.

By analyzing traffic from virtual instances, containers, and other cloud resources, it centralizes monitoring for both on-premises and cloud networks, delivering consistent security insights and comprehensive visibility across the entire enterprise infrastructure.

Yanadump implementation plan

We recommend strategically deploying yanadump at key aggregation points, such as core routers or switches, rather than on individual endpoints. This placement enables it to efficiently monitor traffic from multiple sources, providing broad visibility with minimal deployment effort.

  1. Assess traffic mirroring and forwarding options. Identify current traffic mirroring, forwarding, and monitoring configurations (such as SPAN ports, TAPs, AWS VPC Traffic Mirroring, or Azure Network Watcher) across your on-premises and cloud environments. Aligning with current configurations enables centralized data collection and streamlines analysis across the network.
  2. Identify key network aggregation points. Locate core routers, switches, or other network convergence points where traffic from multiple endpoints converges. These will be prioritized for yanadump deployment, providing maximum visibility from minimal infrastructure.
  3. Select critical cloud assets. Identify essential cloud resources, such as virtual machines and containers, for monitoring. Configure traffic mirroring to forward traffic from these cloud assets to yanadump, ensuring a unified view across hybrid environments.
  4. Deploy yanadump at aggregation points. Install yanadump at selected on-premises convergence points to capture and analyze aggregated network traffic efficiently. This placement enables yanadump to monitor multiple sources with minimal deployment footprint.
  5. Enable cloud traffic mirroring. For comprehensive hybrid network coverage, configure traffic mirroring for the selected cloud assets to direct relevant traffic to yanadump for analysis. This setup allows AQtive Guard to receive both on-premises and cloud data in one central location.
  6. Automate jsonl file generation. Set yanadump to create jsonl files on a recurring schedule (such as daily), pushing these files to AQtive Guard. This recurring generation allows for time-based cryptographic insights without large data storage requirements, keeping analysis efficient.

Refer to the GCP Packet Mirroring Tutorial for an example of configuring traffic mirroring on Google Cloud Platform.

Important

To ensure proper analysis in AQtive Guard, PCAP network captures must include TCP handshake packets (SYN/SYNACK) and, if applicable, RST packets. If your network device pre-filters traffic or limits captured data (for example, truncating after a certain number of bytes), verify that these critical packets are retained. Omitting them prevents tools like yanadump from identifying and analyzing TCP streams, resulting in incomplete or unusable analysis.