Export PiRogue data
On this page
This is the translation in English from Spanish of a tutorial originally written by niculcha.
What is PiRogue
For a few months we have been testing PiRogue to perform network traffic analysis mainly on cell phones, so PiRogue becomes a super complete tool that contains many applications that help us to perform network traffic analysis, this hardware and software helps us to perform monitoring on intervention and network traffic.
One of the big challenges in forensic analysis is to know how to search the results, PiRogue deletes the data every 5 days for security reasons but to do a further analysis we need to extract the alerts and flows as a result of the analysis, to export the data we need to do the following steps.
How to export data
First, connect to your PiRogue with SSH:
ssh -p22 pi@<PiRogue IP address>
Then, export alert data in a CSV file:
influx -database 'suricata' -execute 'SELECT * FROM "suricata"."suricata_5d"."alert"' -format 'csv' > alerts-`date +"%Y-%m-%d"`.csv
Export flow data too:
influx -database 'flows' -execute 'SELECT * FROM "flows"."flows_5d"."flow"' -format 'csv' > flows-`date +"%Y-%m-%d"`.csv
Finally, copy 2 generated CSV files from PiRogue to your computer using scp
. On your computed, use the following command:
scp pi@<iRogue IP address>:<path of the CSV file> .
Once you have retrieved your CSV files, you can open them with Excel, LibreOffice or any other software supporting CVS format.
Going further
The queries listed above are pretty simple but you can adapt them to your specific need, check out the influxdb documentation.
You can refine your request by filtering the following fields of the flows
database:
time
: timestamp in nanoseconds on first flow bidirectional packetapplication_category_name
: nDPI detected application category nameapplication_name
: nDPI detected application namebidirectional_bytes
: flow bidirectional bytes accumulatorbidirectional_duration_ms
: flow bidirectional duration in millisecondscity
: city determined bygeoip
based on the remote IP addresscommunity_id
: community IDcommunity_id_b64
: community ID encoded in base64country
: country name determined bygeoip
based on the remote IP addresscountry_iso
: country ISO code determined bygeoip
based on the remote IP addressdst2src_bytes
: flow destination to source bytes accumulatordst_ip
: destination IP address string representationdst_mac
: destination MAC address string representationdst_port
: transport layer destination portlatitude
: latitude determined bygeoip
based on the remote IP addresslongitude
: longitude determined bygeoip
based on the remote IP addressrequested_server_name
: requested server name (SSL/TLS, DNS, HTTP)src2dst_bytes
: flow source to destination bytes accumulatorsrc_ip
: source IP address string representationsrc_mac
: source MAC address string representationsrc_port
: transport layer source port
You can refine your request by filtering the following fields of the suricata
database:
time
: timestamp in nanoseconds on detectionalert_category
: category of the triggered rulealert_severity
: alert severityalert_signature
: signature of the triggered rulealert_signature_id
: unique identifier of the triggered ruleapp_proto
: network protocol (dns, http…)community_id
: community IDcommunity_id_b64
: community ID encoded in base64dest_ip
: destination IP address string representationdest_port
: transport layer destination portin_iface
: network interface nameproto
: transport protocol (UDP, TCP)src_ip
: source IP address string representationsrc_port
: transport layer source port