Nicholai
6fada7889a
This toolkit provides comprehensive monitoring, analysis, and blocking capabilities for network telemetry sent by The Foundry's Nuke compositor on Linux. Key features: - Network monitoring scripts with automated alerts - Multi-tier blocking methods (hosts, firewall, namespace, AppArmor) - Detailed packet capture analysis and documentation - EULA legal analysis and privacy assessment - Sanitized example captures and comprehensive guides All sensitive data (personal IPs, usernames, packet captures) removed. Ready for public sharing on Gitea.
122 lines
4.1 KiB
Bash
Executable File
122 lines
4.1 KiB
Bash
Executable File
#!/bin/bash
|
|
# Wide-net startup capture - catches EVERYTHING external
|
|
|
|
OUTPUT_DIR="$HOME/Documents/obsidian-vault/2-projects/Nuke-monitoring/dump/startup-wide"
|
|
mkdir -p "$OUTPUT_DIR"
|
|
TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
|
|
|
|
echo "=== Wide-Net Nuke Startup Capture ==="
|
|
echo ""
|
|
echo "This will capture ALL external network traffic (not just Foundry domains)"
|
|
echo "so we can see if Nuke is connecting to unexpected servers."
|
|
echo ""
|
|
|
|
# Check if Nuke is running
|
|
if pgrep -i nuke > /dev/null 2>&1; then
|
|
echo "WARNING: Nuke appears to be running. Please close it first."
|
|
echo ""
|
|
read -p "Press Enter after closing Nuke..."
|
|
fi
|
|
|
|
echo ""
|
|
echo "Starting wide capture (capturing ALL external traffic)..."
|
|
echo "This will be a larger file since we're not filtering by domain."
|
|
echo ""
|
|
|
|
# Capture everything EXCEPT local network traffic
|
|
sudo tcpdump -i any -w "$OUTPUT_DIR/startup_wide_$TIMESTAMP.pcap" \
|
|
'not (net 10.0.0.0/8 or net 127.0.0.0/8 or net 224.0.0.0/4 or net 239.0.0.0/8 or port 5353)' &
|
|
TCPDUMP_PID=$!
|
|
|
|
echo "Capture running (PID: $TCPDUMP_PID)"
|
|
echo ""
|
|
echo "================================================"
|
|
echo "NOW LAUNCH NUKE"
|
|
echo "================================================"
|
|
echo ""
|
|
read -p "Press Enter after Nuke has FULLY loaded (all windows open)..."
|
|
|
|
echo ""
|
|
echo "Stopping capture..."
|
|
sudo kill $TCPDUMP_PID 2>/dev/null
|
|
wait $TCPDUMP_PID 2>/dev/null
|
|
|
|
sleep 2
|
|
|
|
echo ""
|
|
echo "Capture complete!"
|
|
echo ""
|
|
|
|
PCAP_FILE="$OUTPUT_DIR/startup_wide_$TIMESTAMP.pcap"
|
|
|
|
if [ ! -f "$PCAP_FILE" ]; then
|
|
echo "ERROR: Capture file not created: $PCAP_FILE"
|
|
exit 1
|
|
fi
|
|
|
|
PCAP_SIZE=$(du -h "$PCAP_FILE" | cut -f1)
|
|
echo "File: $PCAP_FILE"
|
|
echo "Size: $PCAP_SIZE"
|
|
echo ""
|
|
|
|
# Basic analysis
|
|
echo "Analyzing capture..."
|
|
echo ""
|
|
|
|
if command -v tshark &> /dev/null; then
|
|
echo "=== Packet Statistics ==="
|
|
tshark -r "$PCAP_FILE" -q -z io,stat,0
|
|
echo ""
|
|
|
|
echo "=== Unique Destination IPs ==="
|
|
tshark -r "$PCAP_FILE" -T fields -e ip.dst 2>/dev/null | sort -u | tee "$OUTPUT_DIR/unique_ips_$TIMESTAMP.txt"
|
|
echo ""
|
|
|
|
echo "=== DNS Lookups During Startup ==="
|
|
tshark -r "$PCAP_FILE" -Y "dns.flags.response == 1" -T fields -e dns.qry.name 2>/dev/null | sort -u | tee "$OUTPUT_DIR/dns_lookups_$TIMESTAMP.txt"
|
|
echo ""
|
|
|
|
echo "=== Checking for Foundry/Honeycomb/Sentry ==="
|
|
FOUNDRY_COUNT=$(tshark -r "$PCAP_FILE" -Y "dns.qry.name contains \"foundry\" or dns.qry.name contains \"honeycomb\" or dns.qry.name contains \"sentry\"" 2>/dev/null | wc -l)
|
|
|
|
if [ "$FOUNDRY_COUNT" -gt 0 ]; then
|
|
echo "✓ FOUND $FOUNDRY_COUNT packets to Foundry/telemetry services:"
|
|
tshark -r "$PCAP_FILE" -Y "dns.qry.name contains \"foundry\" or dns.qry.name contains \"honeycomb\" or dns.qry.name contains \"sentry\"" 2>/dev/null
|
|
else
|
|
echo "✗ NO Foundry/telemetry traffic found during startup"
|
|
echo ""
|
|
echo "This suggests:"
|
|
echo " 1. Telemetry only happens on FIRST launch (not subsequent launches)"
|
|
echo " 2. Telemetry is delayed/batched (happens after startup)"
|
|
echo " 3. Telemetry is sent later during the session"
|
|
fi
|
|
|
|
echo ""
|
|
echo "=== HTTP Traffic (if any) ==="
|
|
tshark -r "$PCAP_FILE" -Y "http.request" -T fields -e http.host -e http.request.uri 2>/dev/null | head -20
|
|
echo ""
|
|
|
|
echo "=== TLS/HTTPS Connections (Server Name Indication) ==="
|
|
tshark -r "$PCAP_FILE" -Y "tls.handshake.extensions_server_name" -T fields -e tls.handshake.extensions_server_name 2>/dev/null | sort -u | tee "$OUTPUT_DIR/tls_servers_$TIMESTAMP.txt"
|
|
echo ""
|
|
|
|
else
|
|
echo "tshark not installed. Install wireshark-cli for analysis:"
|
|
echo " sudo pacman -S wireshark-cli"
|
|
echo ""
|
|
echo "You can analyze manually with:"
|
|
echo " wireshark $PCAP_FILE"
|
|
fi
|
|
|
|
echo ""
|
|
echo "=== Summary ==="
|
|
echo "Results saved to: $OUTPUT_DIR/"
|
|
echo " - Raw capture: $PCAP_FILE"
|
|
echo " - Unique IPs: $OUTPUT_DIR/unique_ips_$TIMESTAMP.txt"
|
|
echo " - DNS lookups: $OUTPUT_DIR/dns_lookups_$TIMESTAMP.txt"
|
|
echo " - TLS servers: $OUTPUT_DIR/tls_servers_$TIMESTAMP.txt"
|
|
echo ""
|
|
echo "Next: Compare these IPs/domains with your earlier 20-minute capture"
|
|
echo "to see if startup traffic differs from runtime traffic."
|
|
echo ""
|