Issues regarding pcap generation - pcap file is always empty

[Sk4hnt42]

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• I am running the latest version
• I did read the README!
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed
• I'm reporting the issue to the correct repository (for multi-repository projects)
• I have read and checked all configs (with all optional parts)

Expected Behavior

PCAP File beeing generated correcty and contains packet dumps. Contacted hosts and DNS Requests are beeing displayed in the analysis report.

Current Behavior

Analysis runs, gets reported but Network analysis is empty, downloading the pcap file brings up an empty dump file.

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

1. Start Analysis Task
2. Check Reported Task
3. No Contacted Hosts or DNS Requests

Context

I did check the docs more than once and can not find any issue.
I've checked the troubleshooting section regarding pcap generation as well, checked the pcap permissions for cape but still won't work.

$ ll /usr/bin/tcpdump
-rwxr-xr-x 1 root pcap 1273976 Feb 16  2025 /usr/bin/tcpdump*

$ getent group pcap
pcap:x:1002:cape

tcpdump path is correct as well:

$ whereis tcpdump
tcpdump: /usr/bin/tcpdump /usr/share/man/man8/tcpdump.8.gz

In the analysis folder, there will always be a dump.pcap file, which is empty.

"enp6s18" is the interface which provides internet connectivity. Which cape seems to be using for pcap generation.

Manually running tcpdump as cape user works fine as seen below, so this should not be an issue regarding permissions.

$ sudo -u cape tcpdump -i enp6s18
[sudo] password for sandy:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp6s18, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:11:23.457190 IP madlen-sandbox.ssh > 10.10.88.1.55322: Flags [P.], seq 1874148051:1874148259, ack 3562662718, win 1431, length 208
10:11:23.512504 IP 10.10.88.1.55322 > madlen-sandbox.ssh: Flags [.], ack 0, win 254, length 0
10:11:23.539742 IP 10.10.88.1.55322 > madlen-sandbox.ssh: Flags [P.], seq 1:161, ack 208, win 253, length 160
10:11:23.540064 IP madlen-sandbox.ssh > 10.10.88.1.55322: Flags [P.], seq 208:256, ack 161, win 1452, length 48
10:11:23.550665 IP madlen-sandbox.53217 > dns9.quad9.net.domain: 32350+ [1au] PTR? 1.88.10.10.in-addr.arpa. (52)
10:11:23.578182 IP dns9.quad9.net.domain > madlen-sandbox.53217: 32350 NXDomain- 0/0/1 (52)
10:11:23.579691 IP madlen-sandbox.49724 > dns9.quad9.net.domain: 26458+ [1au] PTR? 5.195.168.192.in-addr.arpa. (55)
10:11:23.595055 IP dns9.quad9.net.domain > madlen-sandbox.49724: 26458 NXDomain- 0/0/1 (55)

Failure Logs

Cape Analysis Log:

CAPE: Config and Payload Extraction
github.com/kevoreilly/CAPEv2

XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
pip3 install certvalidator asn1crypto mscerts
2025-08-19 09:42:23,788 [modules.processing.network] INFO: Loading maxmind database from /opt/CAPEv2/modules/processing/../../data/GeoLite2-Country.mmdb
/usr/bin/tcpdump
2025-08-19 09:42:24,172 [lib.cuckoo.core.machinery_manager] INFO: Using MachineryManager[proxmox] with max_machines_count=10
2025-08-19 09:42:24,172 [lib.cuckoo.core.scheduler] INFO: Creating scheduler with max_analysis_count=unlimited
2025-08-19 09:42:24,192 [lib.cuckoo.core.machinery_manager] INFO: Loaded 1 machine
2025-08-19 09:42:24,257 [lib.cuckoo.core.machinery_manager] INFO: max_vmstartup_count for BoundedSemaphore = 5
2025-08-19 09:42:24,261 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks
2025-08-19 09:46:24,620 [lib.cuckoo.core.machinery_manager] INFO: Task #4: found useable machine SBX-Windows10-01 (arch=x86, platform=windows)
2025-08-19 09:46:24,620 [lib.cuckoo.core.scheduler] INFO: Task #4: Processing task
2025-08-19 09:46:24,875 [lib.cuckoo.core.analysis_manager] INFO: Task #4: File already exists at '/opt/CAPEv2/storage/binaries/4d70290367ad03399e17d5001842553fcd4d57e026eb330add0e3f28327d79a7'
2025-08-19 09:46:24,876 [lib.cuckoo.core.analysis_manager] INFO: Task #4: Starting analysis of FILE '/tmp/cuckoo-tmp/upload_kkwhui6f/ChromeSetup.exe'
2025-08-19 09:46:28,758 [lib.cuckoo.core.analysis_manager] INFO: Task #4: Enabled route 'internet'.
2025-08-19 09:46:28,773 [modules.auxiliary.Mitmdump] INFO: Mitmdump module loaded
2025-08-19 09:46:28,774 [modules.auxiliary.PolarProxy] INFO: PolarProxy module loaded
2025-08-19 09:46:28,774 [modules.auxiliary.QemuScreenshots] INFO: QEMU screenshots module loaded
/usr/bin/tcpdump
2025-08-19 09:46:28,789 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 26677 (interface=enp6s18, host=192.168.99.20, dump path=/opt/CAPEv2/storage/analyses/4/dump.pcap)
2025-08-19 09:46:30,085 [lib.cuckoo.core.guest] INFO: Task #4: Starting analysis on guest (id=SBX-Windows10-01, ip=192.168.99.20)
2025-08-19 09:46:58,196 [lib.cuckoo.core.guest] INFO: Task #4: Guest is running CAPE Agent 0.11 (id=SBX-Windows10-01, ip=192.168.99.20)
2025-08-19 09:47:02,270 [lib.cuckoo.core.guest] INFO: Task #4: Uploading script files to guest (id=SBX-Windows10-01, ip=192.168.99.20)
2025-08-19 09:47:11,585 [lib.cuckoo.core.resultserver] INFO: Task 4: Process 7584 (parent 5872): ChromeSetup.exe, path C:\Users\Peter Silie\AppData\Local\Temp\ChromeSetup.exe
2025-08-19 09:47:13,617 [lib.cuckoo.core.resultserver] INFO: Task 4: Process 8604 (parent 7584): updater.exe, path C:\Users\Peter Silie\AppData\Local\Temp\Google7584_1487186110\bin\updater.exe
2025-08-19 09:47:14,381 [lib.cuckoo.core.resultserver] INFO: Task 4: Process 5516 (parent 8604): updater.exe, path C:\Users\Peter Silie\AppData\Local\Temp\Google7584_1487186110\bin\updater.exe
2025-08-19 09:47:15,881 [lib.cuckoo.core.resultserver] INFO: Task 4: Process 1188 (parent 768): svchost.exe, path C:\Windows\System32\svchost.exe
2025-08-19 09:48:08,918 [lib.cuckoo.core.resultserver] INFO: Task 4: Process 7816 (parent 1188): taskhostw.exe, path C:\Windows\System32\taskhostw.exe
2025-08-19 09:48:58,604 [lib.cuckoo.core.resultserver] INFO: Task 4: Process 5244 (parent 5212): explorer.exe, path C:\Windows\explorer.exe
2025-08-19 09:49:05,053 [lib.cuckoo.core.resultserver] INFO: Task 4: Process 8916 (parent 1188): taskhostw.exe, path C:\Windows\System32\taskhostw.exe
2025-08-19 09:49:18,536 [lib.cuckoo.core.guest] INFO: Task #4: Analysis completed successfully (id=SBX-Windows10-01, ip=192.168.99.20)
2025-08-19 09:49:18,682 [lib.cuckoo.core.analysis_manager] INFO: Task #4: Disabled route 'internet'
2025-08-19 09:49:21,141 [lib.cuckoo.core.analysis_manager] INFO: Task #4: Completed analysis successfully.
2025-08-19 09:49:21,147 [lib.cuckoo.core.analysis_manager] INFO: Task #4: analysis procedure completed

[doomedraven]

Did you enable pcap in routing.conf? El mar, 19 ago 2025, 12:49, Sk4hnt42 ***@***.***> escribió:

…

*Sk4hnt42* created an issue (kevoreilly/CAPEv2#2673) <#2673> Prerequisites Please answer the following questions for yourself before submitting an issue. - I am running the latest version - I did read the README! - I checked the documentation and found no answer - I checked to make sure that this issue has not already been filed - I'm reporting the issue to the correct repository (for multi-repository projects) - I have read and checked all configs (with all optional parts) Expected Behavior PCAP File beeing generated correcty and contains packet dumps. Contacted hosts and DNS Requests are beeing displayed in the analysis report. Current Behavior Analysis runs, gets reported but Network analysis is empty, downloading the pcap file brings up an empty dump file. Steps to Reproduce Please provide detailed steps for reproducing the issue. 1. Start Analysis Task 2. Check Reported Task 3. No Contacted Hosts or DNS Requests Context I did check the docs more than once and can not find any issue. I've checked the troubleshooting section regarding pcap generation as well, checked the pcap permissions for cape but still won't work. $ ll /usr/bin/tcpdump -rwxr-xr-x 1 root pcap 1273976 Feb 16 2025 /usr/bin/tcpdump* $ getent group pcap pcap:x:1002:cape tcpdump path is correct as well: $ whereis tcpdump tcpdump: /usr/bin/tcpdump /usr/share/man/man8/tcpdump.8.gz In the analysis folder, there will always be a dump.pcap file, which is empty. "enp6s18" is the interface which provides internet connectivity. Which cape seems to be using for pcap generation. Manually running tcpdump as cape user works fine as seen below, so this should not be an issue regarding permissions. $ sudo -u cape tcpdump -i enp6s18 [sudo] password for sandy: tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on enp6s18, link-type EN10MB (Ethernet), snapshot length 262144 bytes 10:11:23.457190 IP madlen-sandbox.ssh > 10.10.88.1.55322: Flags [P.], seq 1874148051:1874148259, ack 3562662718, win 1431, length 208 10:11:23.512504 IP 10.10.88.1.55322 > madlen-sandbox.ssh: Flags [.], ack 0, win 254, length 0 10:11:23.539742 IP 10.10.88.1.55322 > madlen-sandbox.ssh: Flags [P.], seq 1:161, ack 208, win 253, length 160 10:11:23.540064 IP madlen-sandbox.ssh > 10.10.88.1.55322: Flags [P.], seq 208:256, ack 161, win 1452, length 48 10:11:23.550665 IP madlen-sandbox.53217 > dns9.quad9.net.domain: 32350+ [1au] PTR? 1.88.10.10.in-addr.arpa. (52) 10:11:23.578182 IP dns9.quad9.net.domain > madlen-sandbox.53217: 32350 NXDomain- 0/0/1 (52) 10:11:23.579691 IP madlen-sandbox.49724 > dns9.quad9.net.domain: 26458+ [1au] PTR? 5.195.168.192.in-addr.arpa. (55) 10:11:23.595055 IP dns9.quad9.net.domain > madlen-sandbox.49724: 26458 NXDomain- 0/0/1 (55) Failure Logs Cape Analysis Log: CAPE: Config and Payload Extractiongithub.com/kevoreilly/CAPEv2 XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel) pip3 install certvalidator asn1crypto mscerts 2025-08-19 09:42:23,788 [modules.processing.network] INFO: Loading maxmind database from /opt/CAPEv2/modules/processing/../../data/GeoLite2-Country.mmdb /usr/bin/tcpdump 2025-08-19 09:42:24,172 [lib.cuckoo.core.machinery_manager] INFO: Using MachineryManager[proxmox] with max_machines_count=10 2025-08-19 09:42:24,172 [lib.cuckoo.core.scheduler] INFO: Creating scheduler with max_analysis_count=unlimited 2025-08-19 09:42:24,192 [lib.cuckoo.core.machinery_manager] INFO: Loaded 1 machine 2025-08-19 09:42:24,257 [lib.cuckoo.core.machinery_manager] INFO: max_vmstartup_count for BoundedSemaphore = 5 2025-08-19 09:42:24,261 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks 2025-08-19 09:46:24,620 [lib.cuckoo.core.machinery_manager] INFO: Task #4: found useable machine SBX-Windows10-01 (arch=x86, platform=windows) 2025-08-19 09:46:24,620 [lib.cuckoo.core.scheduler] INFO: Task #4: Processing task 2025-08-19 09:46:24,875 [lib.cuckoo.core.analysis_manager] INFO: Task #4: File already exists at '/opt/CAPEv2/storage/binaries/4d70290367ad03399e17d5001842553fcd4d57e026eb330add0e3f28327d79a7' 2025-08-19 09:46:24,876 [lib.cuckoo.core.analysis_manager] INFO: Task #4: Starting analysis of FILE '/tmp/cuckoo-tmp/upload_kkwhui6f/ChromeSetup.exe' 2025-08-19 09:46:28,758 [lib.cuckoo.core.analysis_manager] INFO: Task #4: Enabled route 'internet'. 2025-08-19 09:46:28,773 [modules.auxiliary.Mitmdump] INFO: Mitmdump module loaded 2025-08-19 09:46:28,774 [modules.auxiliary.PolarProxy] INFO: PolarProxy module loaded 2025-08-19 09:46:28,774 [modules.auxiliary.QemuScreenshots] INFO: QEMU screenshots module loaded /usr/bin/tcpdump 2025-08-19 09:46:28,789 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 26677 (interface=enp6s18, host=192.168.99.20, dump path=/opt/CAPEv2/storage/analyses/4/dump.pcap) 2025-08-19 09:46:30,085 [lib.cuckoo.core.guest] INFO: Task #4: Starting analysis on guest (id=SBX-Windows10-01, ip=192.168.99.20) 2025-08-19 09:46:58,196 [lib.cuckoo.core.guest] INFO: Task #4: Guest is running CAPE Agent 0.11 (id=SBX-Windows10-01, ip=192.168.99.20) 2025-08-19 09:47:02,270 [lib.cuckoo.core.guest] INFO: Task #4: Uploading script files to guest (id=SBX-Windows10-01, ip=192.168.99.20) 2025-08-19 09:47:11,585 [lib.cuckoo.core.resultserver] INFO: Task 4: Process 7584 (parent 5872): ChromeSetup.exe, path C:\Users\Peter Silie\AppData\Local\Temp\ChromeSetup.exe 2025-08-19 09:47:13,617 [lib.cuckoo.core.resultserver] INFO: Task 4: Process 8604 (parent 7584): updater.exe, path C:\Users\Peter Silie\AppData\Local\Temp\Google7584_1487186110\bin\updater.exe 2025-08-19 09:47:14,381 [lib.cuckoo.core.resultserver] INFO: Task 4: Process 5516 (parent 8604): updater.exe, path C:\Users\Peter Silie\AppData\Local\Temp\Google7584_1487186110\bin\updater.exe 2025-08-19 09:47:15,881 [lib.cuckoo.core.resultserver] INFO: Task 4: Process 1188 (parent 768): svchost.exe, path C:\Windows\System32\svchost.exe 2025-08-19 09:48:08,918 [lib.cuckoo.core.resultserver] INFO: Task 4: Process 7816 (parent 1188): taskhostw.exe, path C:\Windows\System32\taskhostw.exe 2025-08-19 09:48:58,604 [lib.cuckoo.core.resultserver] INFO: Task 4: Process 5244 (parent 5212): explorer.exe, path C:\Windows\explorer.exe 2025-08-19 09:49:05,053 [lib.cuckoo.core.resultserver] INFO: Task 4: Process 8916 (parent 1188): taskhostw.exe, path C:\Windows\System32\taskhostw.exe 2025-08-19 09:49:18,536 [lib.cuckoo.core.guest] INFO: Task #4: Analysis completed successfully (id=SBX-Windows10-01, ip=192.168.99.20) 2025-08-19 09:49:18,682 [lib.cuckoo.core.analysis_manager] INFO: Task #4: Disabled route 'internet' 2025-08-19 09:49:21,141 [lib.cuckoo.core.analysis_manager] INFO: Task #4: Completed analysis successfully. 2025-08-19 09:49:21,147 [lib.cuckoo.core.analysis_manager] INFO: Task #4: analysis procedure completed — Reply to this email directly, view it on GitHub <#2673>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAOFH34LPKV7ZBRX6CY2R2T3OL6MDAVCNFSM6AAAAACEH3U722VHI2DSMVQWIX3LMV43ASLTON2WKOZTGMZTGOBYGQYDOOI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[Sk4hnt42]

Did you enable pcap in routing.conf?

El mar, 19 ago 2025, 12:49, Sk4hnt42 @.***> escribió:
…

Hi,

i had not. I just activated it, restarted all services, but the issue persists.

[doomedraven]

can you post new log from logs/cuckoo.log now that you have activated it and restarted services. just generate new job and post output

[Sk4hnt42]

can you post new log from logs/cuckoo.log now that you have activated it and restarted services. just generate new job and post output

Of course! Here it is.

2025-08-19 11:37:25,253 [modules.processing.network] INFO: Loading maxmind database from /opt/CAPEv2/modules/processing/../../data/GeoLite2-Country.mmdb
2025-08-19 11:37:25,626 [lib.cuckoo.core.machinery_manager] INFO: Using MachineryManager[proxmox] with max_machines_count=10
2025-08-19 11:37:25,627 [lib.cuckoo.core.scheduler] INFO: Creating scheduler with max_analysis_count=unlimited
2025-08-19 11:37:25,650 [lib.cuckoo.core.machinery_manager] INFO: Loaded 1 machine
2025-08-19 11:37:25,700 [lib.cuckoo.core.machinery_manager] INFO: max_vmstartup_count for BoundedSemaphore = 5
2025-08-19 11:37:25,705 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks
2025-08-19 11:37:25,738 [lib.cuckoo.core.machinery_manager] INFO: Task #6: found useable machine SBX-Windows10-01 (arch=x86, platform=windows)
2025-08-19 11:37:25,738 [lib.cuckoo.core.scheduler] INFO: Task #6: Processing task
2025-08-19 11:37:25,984 [lib.cuckoo.core.analysis_manager] INFO: Task #6: File already exists at '/opt/CAPEv2/storage/binaries/4d70290367ad03399e17d5001842553fcd4d57e026eb330add0e3f2>
2025-08-19 11:37:25,985 [lib.cuckoo.core.analysis_manager] INFO: Task #6: Starting analysis of FILE '/tmp/cuckoo-tmp/upload_9te_vs52/ChromeSetup.exe'
2025-08-19 11:37:29,865 [lib.cuckoo.core.analysis_manager] INFO: Task #6: Enabled route 'internet'.
2025-08-19 11:37:29,875 [modules.auxiliary.Mitmdump] INFO: Mitmdump module loaded
2025-08-19 11:37:29,875 [modules.auxiliary.PolarProxy] INFO: PolarProxy module loaded
2025-08-19 11:37:29,876 [modules.auxiliary.QemuScreenshots] INFO: QEMU screenshots module loaded
2025-08-19 11:37:29,888 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 29710 (interface=enp6s18, host=192.168.99.20, dump path=/opt/CAPEv2/storage/analyses/6/dump.pcap)
2025-08-19 11:37:31,133 [lib.cuckoo.core.guest] INFO: Task #6: Starting analysis on guest (id=SBX-Windows10-01, ip=192.168.99.20)
2025-08-19 11:37:56,571 [lib.cuckoo.core.guest] INFO: Task #6: Guest is running CAPE Agent 0.11 (id=SBX-Windows10-01, ip=192.168.99.20)
2025-08-19 11:37:59,976 [lib.cuckoo.core.guest] INFO: Task #6: Uploading script files to guest (id=SBX-Windows10-01, ip=192.168.99.20)
2025-08-19 11:38:09,270 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 7620 (parent 4240): ChromeSetup.exe, path C:\Users\Peter Silie\AppData\Local\Temp\ChromeSetup.exe
2025-08-19 11:38:11,406 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 8572 (parent 7620): updater.exe, path C:\Users\Peter Silie\AppData\Local\Temp\Google7620_948679524\bin\up>
2025-08-19 11:38:12,072 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 8144 (parent 8572): updater.exe, path C:\Users\Peter Silie\AppData\Local\Temp\Google7620_948679524\bin\up>
2025-08-19 11:38:13,651 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 1196 (parent 728): svchost.exe, path C:\Windows\System32\svchost.exe
2025-08-19 11:38:22,190 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 5188 (parent 5128): explorer.exe, path C:\Windows\explorer.exe
2025-08-19 11:38:25,069 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 872 (parent 728): svchost.exe, path C:\Windows\System32\svchost.exe
2025-08-19 11:38:27,320 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 10200 (parent 872): OpenWith.exe, path C:\Windows\System32\OpenWith.exe
2025-08-19 11:38:28,773 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 2996 (parent 872): dllhost.exe, path C:\Windows\System32\dllhost.exe
2025-08-19 11:38:35,468 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 3144 (parent 10200): msedge.exe, path C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
2025-08-19 11:38:36,725 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 9816 (parent 872): BdeUISrv.exe, path C:\Windows\System32\BdeUISrv.exe
2025-08-19 11:38:41,164 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 9412 (parent 1196): taskhostw.exe, path C:\Windows\System32\taskhostw.exe
2025-08-19 11:38:41,599 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 5276 (parent 872): dllhost.exe, path C:\Windows\System32\dllhost.exe
2025-08-19 11:39:01,644 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 5312 (parent 872): mobsync.exe, path C:\Windows\System32\mobsync.exe
2025-08-19 11:39:10,791 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 5828 (parent 728): svchost.exe, path C:\Windows\System32\svchost.exe
2025-08-19 11:39:52,057 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 7264 (parent 1196): MusNotification.exe, path C:\Windows\System32\MusNotification.exe
2025-08-19 11:39:55,682 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 1820 (parent 7264): MusNotificationUx.exe, path C:\Windows\System32\MusNotificationUx.exe
2025-08-19 11:39:57,084 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 1080 (parent 7264): MusNotifyIcon.exe, path C:\Windows\System32\MusNotifyIcon.exe
2025-08-19 11:40:19,234 [lib.cuckoo.core.guest] INFO: Task #6: Analysis completed successfully (id=SBX-Windows10-01, ip=192.168.99.20)
2025-08-19 11:40:19,404 [lib.cuckoo.core.analysis_manager] INFO: Task #6: Disabled route 'internet'
2025-08-19 11:40:21,850 [lib.cuckoo.core.analysis_manager] INFO: Task #6: Completed analysis successfully.
2025-08-19 11:40:21,855 [lib.cuckoo.core.analysis_manager] INFO: Task #6: analysis procedure completed

[doomedraven]

INFO: Started sniffer with PID 29710 (interface=enp6s18, host=192.168.99.20, dump path=/opt/CAPEv2/storage/analyses/6/dump.pcap) El mar, 19 ago 2025, 13:45, Sk4hnt42 ***@***.***> escribió:

…

*Sk4hnt42* left a comment (kevoreilly/CAPEv2#2673) <#2673 (comment)> can you post new log from logs/cuckoo.log now that you have activated it and restarted services. just generate new job and post output Of course! Here it is. 2025-08-19 11:37:25,253 [modules.processing.network] INFO: Loading maxmind database from /opt/CAPEv2/modules/processing/../../data/GeoLite2-Country.mmdb 2025-08-19 11:37:25,626 [lib.cuckoo.core.machinery_manager] INFO: Using MachineryManager[proxmox] with max_machines_count=10 2025-08-19 11:37:25,627 [lib.cuckoo.core.scheduler] INFO: Creating scheduler with max_analysis_count=unlimited 2025-08-19 11:37:25,650 [lib.cuckoo.core.machinery_manager] INFO: Loaded 1 machine 2025-08-19 11:37:25,700 [lib.cuckoo.core.machinery_manager] INFO: max_vmstartup_count for BoundedSemaphore = 5 2025-08-19 11:37:25,705 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks 2025-08-19 11:37:25,738 [lib.cuckoo.core.machinery_manager] INFO: Task #6: found useable machine SBX-Windows10-01 (arch=x86, platform=windows) 2025-08-19 11:37:25,738 [lib.cuckoo.core.scheduler] INFO: Task #6: Processing task 2025-08-19 11:37:25,984 [lib.cuckoo.core.analysis_manager] INFO: Task #6: File already exists at '/opt/CAPEv2/storage/binaries/4d70290367ad03399e17d5001842553fcd4d57e026eb330add0e3f2> 2025-08-19 11:37:25,985 [lib.cuckoo.core.analysis_manager] INFO: Task #6: Starting analysis of FILE '/tmp/cuckoo-tmp/upload_9te_vs52/ChromeSetup.exe' 2025-08-19 11:37:29,865 [lib.cuckoo.core.analysis_manager] INFO: Task #6: Enabled route 'internet'. 2025-08-19 11:37:29,875 [modules.auxiliary.Mitmdump] INFO: Mitmdump module loaded 2025-08-19 11:37:29,875 [modules.auxiliary.PolarProxy] INFO: PolarProxy module loaded 2025-08-19 11:37:29,876 [modules.auxiliary.QemuScreenshots] INFO: QEMU screenshots module loaded 2025-08-19 11:37:29,888 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 29710 (interface=enp6s18, host=192.168.99.20, dump path=/opt/CAPEv2/storage/analyses/6/dump.pcap) 2025-08-19 11:37:31,133 [lib.cuckoo.core.guest] INFO: Task #6: Starting analysis on guest (id=SBX-Windows10-01, ip=192.168.99.20) 2025-08-19 11:37:56,571 [lib.cuckoo.core.guest] INFO: Task #6: Guest is running CAPE Agent 0.11 (id=SBX-Windows10-01, ip=192.168.99.20) 2025-08-19 11:37:59,976 [lib.cuckoo.core.guest] INFO: Task #6: Uploading script files to guest (id=SBX-Windows10-01, ip=192.168.99.20) 2025-08-19 11:38:09,270 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 7620 (parent 4240): ChromeSetup.exe, path C:\Users\Peter Silie\AppData\Local\Temp\ChromeSetup.exe 2025-08-19 11:38:11,406 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 8572 (parent 7620): updater.exe, path C:\Users\Peter Silie\AppData\Local\Temp\Google7620_948679524\bin\up> 2025-08-19 11:38:12,072 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 8144 (parent 8572): updater.exe, path C:\Users\Peter Silie\AppData\Local\Temp\Google7620_948679524\bin\up> 2025-08-19 11:38:13,651 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 1196 (parent 728): svchost.exe, path C:\Windows\System32\svchost.exe 2025-08-19 11:38:22,190 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 5188 (parent 5128): explorer.exe, path C:\Windows\explorer.exe 2025-08-19 11:38:25,069 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 872 (parent 728): svchost.exe, path C:\Windows\System32\svchost.exe 2025-08-19 11:38:27,320 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 10200 (parent 872): OpenWith.exe, path C:\Windows\System32\OpenWith.exe 2025-08-19 11:38:28,773 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 2996 (parent 872): dllhost.exe, path C:\Windows\System32\dllhost.exe 2025-08-19 11:38:35,468 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 3144 (parent 10200): msedge.exe, path C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 2025-08-19 11:38:36,725 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 9816 (parent 872): BdeUISrv.exe, path C:\Windows\System32\BdeUISrv.exe 2025-08-19 11:38:41,164 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 9412 (parent 1196): taskhostw.exe, path C:\Windows\System32\taskhostw.exe 2025-08-19 11:38:41,599 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 5276 (parent 872): dllhost.exe, path C:\Windows\System32\dllhost.exe 2025-08-19 11:39:01,644 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 5312 (parent 872): mobsync.exe, path C:\Windows\System32\mobsync.exe 2025-08-19 11:39:10,791 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 5828 (parent 728): svchost.exe, path C:\Windows\System32\svchost.exe 2025-08-19 11:39:52,057 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 7264 (parent 1196): MusNotification.exe, path C:\Windows\System32\MusNotification.exe 2025-08-19 11:39:55,682 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 1820 (parent 7264): MusNotificationUx.exe, path C:\Windows\System32\MusNotificationUx.exe 2025-08-19 11:39:57,084 [lib.cuckoo.core.resultserver] INFO: Task 6: Process 1080 (parent 7264): MusNotifyIcon.exe, path C:\Windows\System32\MusNotifyIcon.exe 2025-08-19 11:40:19,234 [lib.cuckoo.core.guest] INFO: Task #6: Analysis completed successfully (id=SBX-Windows10-01, ip=192.168.99.20) 2025-08-19 11:40:19,404 [lib.cuckoo.core.analysis_manager] INFO: Task #6: Disabled route 'internet' 2025-08-19 11:40:21,850 [lib.cuckoo.core.analysis_manager] INFO: Task #6: Completed analysis successfully. 2025-08-19 11:40:21,855 [lib.cuckoo.core.analysis_manager] INFO: Task #6: analysis procedure completed — Reply to this email directly, view it on GitHub <#2673 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAOFH36AUDOVZUBPVYCQMUT3OME3ZAVCNFSM6AAAAACEH3U722VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTEMBQGQYTEOBQHE> . You are receiving this because you commented.Message ID: ***@***.***>

[Sk4hnt42]

INFO: Started sniffer with PID 29710 (interface=enp6s18,
host=192.168.99.20, dump path=/opt/CAPEv2/storage/analyses/6/dump.pcap)

El mar, 19 ago 2025, 13:45, Sk4hnt42 @.***> escribió:
…

Yes i've seen that, the file is also beeing created.
But it is empty.
But i know that there has been network activity which should be written to the pcap dump file.

[doomedraven]

can you verify this?
#2571 (comment)

• so as you saying that you sure, did you start VM manually with utils/rooter_manager.py(see -h) and enable it internet to test if it works ?

[Sk4hnt42]

can you verify this? #2571 (comment)

* so as you saying that you sure, did you start VM manually with utils/rooter_manager.py(see -h) and enable it internet to test if it works ?

I am not using libvirt, because cape is using proxmox as vm manager.

Internet access for the Analysis machine works fine.

[doomedraven]

well no one of devs are using proxmon, so i can't help more here, my advice is to start tcpdump by yourself on host to see if you can see traffic, or you need to add some custom rules. we only officially support kvm

[Sk4hnt42]

well no one of devs are using proxmon, so i can't help more here, my advice is to start tcpdump by yourself on host to see if you can see traffic, or you need to add some custom rules. we only officially support kvm

I see, thanks for your help.

Yes running tcpdump on the host as cape user works fine.

sandy@madlen-sandbox:~$ sudo -u cape tcpdump -i enp6s18
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp6s18, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:13:58.607690 IP madlen-sandbox.ssh > 10.10.6.240.52345: Flags [P.], seq 813228487:813228695, ack 2158976888, win 521, length 208
21:13:58.610409 IP 10.10.6.240.52345 > madlen-sandbox.ssh: Flags [.], ack 208, win 1020, length 0
21:13:58.654463 IP madlen-sandbox.41616 > dns9.quad9.net.domain: 14781+ [1au] AAAA? www.virustotal.com. (47)
21:13:58.669820 IP dns9.quad9.net.domain > madlen-sandbox.41616: 14781 0/1/1 (137)
21:13:58.670406 IP madlen-sandbox.47696 > 138.88.54.34.bc.googleusercontent.com.https: Flags [S], seq 565562669, win 64240, options [mss 1460,sackOK,TS val 3308019100 ecr 0,nop,wscale 7], length 0
21:13:58.684427 IP 138.88.54.34.bc.googleusercontent.com.https > madlen-sandbox.47696: Flags [S.], seq 4051756273, ack 565562670, win 65412, options [mss 960,sackOK,TS val 777585335 ecr 3308019100,nop,wscale 8], length 0
21:13:58.684478 IP madlen-sandbox.47696 > 138.88.54.34.bc.googleusercontent.com.https: Flags [.], ack 1, win 502, options [nop,nop,TS val 3308019114 ecr 777585335], length 0
21:13:58.685438 IP madlen-sandbox.47696 > 138.88.54.34.bc.googleusercontent.com.https: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 3308019115 ecr 777585335], length 517
21:13:58.698759 IP 138.88.54.34.bc.googleusercontent.com.https > madlen-sandbox.47696: Flags [.], ack 518, win 254, options [nop,nop,TS val 777585350 ecr 3308019115], length 0
21:13:58.700271 IP madlen-sandbox.46872 > dns9.quad9.net.domain: 27249+ [1au] PTR? 240.6.10.10.in-addr.arpa. (53)
21:13:58.716330 IP dns9.quad9.net.domain > madlen-sandbox.46872: 27249 NXDomain- 0/0/1 (53)
21:13:58.717742 IP madlen-sandbox.44492 > dns9.quad9.net.domain: 31232+ [1au] PTR? 5.195.168.192.in-addr.arpa. (55)
21:13:58.720152 IP 138.88.54.34.bc.googleusercontent.com.https > madlen-sandbox.47696: Flags [P.], seq 1:1897, ack 518, win 254, options [nop,nop,TS val 777585371 ecr 3308019115], length 1896
21:13:58.720213 IP madlen-sandbox.47696 > 138.88.54.34.bc.googleusercontent.com.https: Flags [.], ack 1897, win 531, options [nop,nop,TS val 3308019149 ecr 777585371], length 0
21:13:58.720240 IP 138.88.54.34.bc.googleusercontent.com.https > madlen-sandbox.47696: Flags [.], seq 1897:2845, ack 518, win 254, options [nop,nop,TS val 777585371 ecr 3308019115], length 948
21:13:58.720272 IP madlen-sandbox.47696 > 138.88.54.34.bc.googleusercontent.com.https: Flags [.], ack 2845, win 546, options [nop,nop,TS val 3308019149 ecr 777585371], length 0
21:13:58.720329 IP 138.88.54.34.bc.googleusercontent.com.https > madlen-sandbox.47696: Flags [P.], seq 2845:3793, ack 518, win 254, options [nop,nop,TS val 777585371 ecr 3308019115], length 948
21:13:58.720351 IP madlen-sandbox.47696 > 138.88.54.34.bc.googleusercontent.com.https: Flags [.], ack 3793, win 552, options [nop,nop,TS val 3308019150 ecr 777585371], length 0
21:13:58.720366 IP 138.88.54.34.bc.googleusercontent.com.https > madlen-sandbox.47696: Flags [P.], seq 3793:4529, ack 518, win 254, options [nop,nop,TS val 777585372 ecr 3308019115], length 736
21:13:58.720375 IP madlen-sandbox.47696 > 138.88.54.34.bc.googleusercontent.com.https: Flags [.], ack 4529, win 547, options [nop,nop,TS val 3308019150 ecr 777585372], length 0
21:13:58.724914 IP madlen-sandbox.47696 > 138.88.54.34.bc.googleusercontent.com.https: Flags [P.], seq 518:598, ack 4529, win 552, options [nop,nop,TS val 3308019154 ecr 777585372], length 80
21:13:58.725604 IP madlen-sandbox.47696 > 138.88.54.34.bc.googleusercontent.com.https: Flags [P.], seq 598:926, ack 4529, win 552, options [nop,nop,TS val 3308019155 ecr 777585372], length 328
21:13:58.733209 IP dns9.quad9.net.domain > madlen-sandbox.44492: 31232 NXDomain- 0/0/1 (55)
21:13:58.734712 IP madlen-sandbox.ssh > 10.10.6.240.52345: Flags [P.], seq 208:496, ack 1, win 521, length 288
21:13:58.735169 IP madlen-sandbox.ssh > 10.10.6.240.52345: Flags [P.], seq 496:752, ack 1, win 521, length 256
21:13:58.735483 IP madlen-sandbox.59956 > dns9.quad9.net.domain: 62969+ [1au] PTR? 138.88.54.34.in-addr.arpa. (54)
21:13:58.737828 IP 10.10.6.240.52345 > madlen-sandbox.ssh: Flags [.], ack 752, win 1018, length 0
21:13:58.738966 IP 138.88.54.34.bc.googleusercontent.com.https > madlen-sandbox.47696: Flags [.], ack 926, win 253, options [nop,nop,TS val 777585390 ecr 3308019154], length 0
21:13:58.828469 IP dns9.quad9.net.domain > madlen-sandbox.59956: 62969 1/0/1 PTR 138.88.54.34.bc.googleusercontent.com. (105)
21:13:58.830158 IP madlen-sandbox.ssh > 10.10.6.240.52345: Flags [P.], seq 752:1984, ack 1, win 521, length 1232
21:13:58.830263 IP madlen-sandbox.ssh > 10.10.6.240.52345: Flags [P.], seq 1984:3280, ack 1, win 521, length 1296
21:13:58.830400 IP madlen-sandbox.ssh > 10.10.6.240.52345: Flags [P.], seq 3280:4096, ack 1, win 521, length 816
21:13:58.830524 IP madlen-sandbox.ssh > 10.10.6.240.52345: Flags [P.], seq 4096:4352, ack 1, win 521, length 256
21:13:58.830576 IP madlen-sandbox.ssh > 10.10.6.240.52345: Flags [P.], seq 4352:4912, ack 1, win 521, length 560
21:13:58.833426 IP 10.10.6.240.52345 > madlen-sandbox.ssh: Flags [.], ack 3280, win 1023, length 0
21:13:58.833426 IP 10.10.6.240.52345 > madlen-sandbox.ssh: Flags [.], ack 4352, win 1019, length 0
21:13:58.883855 IP 10.10.6.240.52345 > madlen-sandbox.ssh: Flags [.], ack 4912, win 1023, length 0
21:13:58.907460 IP madlen-sandbox.ssh > 10.10.6.240.52345: Flags [P.], seq 4912:5968, ack 1, win 521, length 1056
21:13:58.960257 IP 10.10.6.240.52345 > madlen-sandbox.ssh: Flags [.], ack 5968, win 1019, length 0
21:13:58.962936 IP 138.88.54.34.bc.googleusercontent.com.https > madlen-sandbox.47696: Flags [.], seq 4529:5477, ack 926, win 253, options [nop,nop,TS val 777585614 ecr 3308019154], length 948
21:13:58.963044 IP 138.88.54.34.bc.googleusercontent.com.https > madlen-sandbox.47696: Flags [P.], seq 5477:5502, ack 926, win 253, options [nop,nop,TS val 777585614 ecr 3308019154], length 25
21:13:58.963062 IP madlen-sandbox.47696 > 138.88.54.34.bc.googleusercontent.com.https: Flags [.], ack 5502, win 567, options [nop,nop,TS val 3308019392 ecr 777585614], length 0
21:13:58.965525 IP madlen-sandbox.47696 > 138.88.54.34.bc.googleusercontent.com.https: Flags [F.], seq 926, ack 5502, win 567, options [nop,nop,TS val 3308019395 ecr 777585614], length 0
21:13:58.983945 IP 138.88.54.34.bc.googleusercontent.com.https > madlen-sandbox.47696: Flags [F.], seq 5502, ack 927, win 253, options [nop,nop,TS val 777585635 ecr 3308019395], length 0
21:13:58.983980 IP madlen-sandbox.47696 > 138.88.54.34.bc.googleusercontent.com.https: Flags [.], ack 5503, win 567, options [nop,nop,TS val 3308019413 ecr 777585635], length 0
21:13:59.010996 IP madlen-sandbox.ssh > 10.10.6.240.52345: Flags [P.], seq 5968:7360, ack 1, win 521, length 1392
21:13:59.069308 IP 10.10.6.240.52345 > madlen-sandbox.ssh: Flags [.], ack 7360, win 1023, length 0