#!/bin/bash # Wide-net startup capture - catches EVERYTHING external OUTPUT_DIR="$HOME/Documents/obsidian-vault/2-projects/Nuke-monitoring/dump/startup-wide" mkdir -p "$OUTPUT_DIR" TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S) echo "=== Wide-Net Nuke Startup Capture ===" echo "" echo "This will capture ALL external network traffic (not just Foundry domains)" echo "so we can see if Nuke is connecting to unexpected servers." echo "" # Check if Nuke is running if pgrep -i nuke > /dev/null 2>&1; then echo "WARNING: Nuke appears to be running. Please close it first." echo "" read -p "Press Enter after closing Nuke..." fi echo "" echo "Starting wide capture (capturing ALL external traffic)..." echo "This will be a larger file since we're not filtering by domain." echo "" # Capture everything EXCEPT local network traffic sudo tcpdump -i any -w "$OUTPUT_DIR/startup_wide_$TIMESTAMP.pcap" \ 'not (net 10.0.0.0/8 or net 127.0.0.0/8 or net 224.0.0.0/4 or net 239.0.0.0/8 or port 5353)' & TCPDUMP_PID=$! echo "Capture running (PID: $TCPDUMP_PID)" echo "" echo "================================================" echo "NOW LAUNCH NUKE" echo "================================================" echo "" read -p "Press Enter after Nuke has FULLY loaded (all windows open)..." echo "" echo "Stopping capture..." sudo kill $TCPDUMP_PID 2>/dev/null wait $TCPDUMP_PID 2>/dev/null sleep 2 echo "" echo "Capture complete!" echo "" PCAP_FILE="$OUTPUT_DIR/startup_wide_$TIMESTAMP.pcap" if [ ! -f "$PCAP_FILE" ]; then echo "ERROR: Capture file not created: $PCAP_FILE" exit 1 fi PCAP_SIZE=$(du -h "$PCAP_FILE" | cut -f1) echo "File: $PCAP_FILE" echo "Size: $PCAP_SIZE" echo "" # Basic analysis echo "Analyzing capture..." echo "" if command -v tshark &> /dev/null; then echo "=== Packet Statistics ===" tshark -r "$PCAP_FILE" -q -z io,stat,0 echo "" echo "=== Unique Destination IPs ===" tshark -r "$PCAP_FILE" -T fields -e ip.dst 2>/dev/null | sort -u | tee "$OUTPUT_DIR/unique_ips_$TIMESTAMP.txt" echo "" echo "=== DNS Lookups During Startup ===" tshark -r "$PCAP_FILE" -Y "dns.flags.response == 1" -T fields -e dns.qry.name 2>/dev/null | sort -u | tee "$OUTPUT_DIR/dns_lookups_$TIMESTAMP.txt" echo "" echo "=== Checking for Foundry/Honeycomb/Sentry ===" FOUNDRY_COUNT=$(tshark -r "$PCAP_FILE" -Y "dns.qry.name contains \"foundry\" or dns.qry.name contains \"honeycomb\" or dns.qry.name contains \"sentry\"" 2>/dev/null | wc -l) if [ "$FOUNDRY_COUNT" -gt 0 ]; then echo "✓ FOUND $FOUNDRY_COUNT packets to Foundry/telemetry services:" tshark -r "$PCAP_FILE" -Y "dns.qry.name contains \"foundry\" or dns.qry.name contains \"honeycomb\" or dns.qry.name contains \"sentry\"" 2>/dev/null else echo "✗ NO Foundry/telemetry traffic found during startup" echo "" echo "This suggests:" echo " 1. Telemetry only happens on FIRST launch (not subsequent launches)" echo " 2. Telemetry is delayed/batched (happens after startup)" echo " 3. Telemetry is sent later during the session" fi echo "" echo "=== HTTP Traffic (if any) ===" tshark -r "$PCAP_FILE" -Y "http.request" -T fields -e http.host -e http.request.uri 2>/dev/null | head -20 echo "" echo "=== TLS/HTTPS Connections (Server Name Indication) ===" tshark -r "$PCAP_FILE" -Y "tls.handshake.extensions_server_name" -T fields -e tls.handshake.extensions_server_name 2>/dev/null | sort -u | tee "$OUTPUT_DIR/tls_servers_$TIMESTAMP.txt" echo "" else echo "tshark not installed. Install wireshark-cli for analysis:" echo " sudo pacman -S wireshark-cli" echo "" echo "You can analyze manually with:" echo " wireshark $PCAP_FILE" fi echo "" echo "=== Summary ===" echo "Results saved to: $OUTPUT_DIR/" echo " - Raw capture: $PCAP_FILE" echo " - Unique IPs: $OUTPUT_DIR/unique_ips_$TIMESTAMP.txt" echo " - DNS lookups: $OUTPUT_DIR/dns_lookups_$TIMESTAMP.txt" echo " - TLS servers: $OUTPUT_DIR/tls_servers_$TIMESTAMP.txt" echo "" echo "Next: Compare these IPs/domains with your earlier 20-minute capture" echo "to see if startup traffic differs from runtime traffic." echo ""