Updating SNAP length for NetShark Capture Jobs

A recent request came my way on how to update the SNAP length on packets captured by a NetShark appliance.   This seemed like it should be easy enough to do with SteelScript, so I decided to dig in.

 

The SNAP length is configurable per capture job and defaults to 65535 (capture the entire packet).  It can be set differently for different capture jobs. 

 

It turns out that the current SteelScript NetShark API does not have helper functions to update the configuration, but we can still get most of the work done using standard SteelScript methods, and then dive down to the low-level API calls to do the final update.

 

In a nutshell, we need to connect to the appliance, get the capture job, tweak the config structure, then push the modified config back to the appliance.  Something like the following:

 

netshark = NetShark('10.1.2.3', auth=UserAuth('admin', 'pasword'))
job = netshark.get_capture_job_by_name('my-capture-job')
job_config = job.data['config']
job_config['snap_length'] = 500
job._api.update(job.id, job_conifg)

 

Note that the configuration for a RUNNING capture job cannot be modified, so that last line will fail in the event the job is RUNNING.  This can be checked by looking at job.get_state(), and then using job.stop() and job.start() to stop it, update the config, then restart.

 

The following script puts this all together as a nice command line script with a few bells and whistles, as well as some error checking.  This can be used as is to list the SNAP length for all jobs, as well as to adjust it for one or more jobs:

 

 

For each running job that is encountered that should be updated, the script will ask to verify that the job can be stopped, updated, and restarted.   (The '-y' option can be specified on the command line to assume yes to all such questions.)