PCAP over IP to NetworkMiner

Most are familiar with WireShark and how to use dumpcap to remotely create a pcap file. Below, see a remote dumpcap session streaming via NetCat to NetworkMiner packet analyzer by netresec.com. NetworkMiner is a forensics tool that decodes the real time pcap stream and displays the images, videos, files, sessions, and DNS traffic that it contains.

On NetworkMiner:
File > Receive Pcap over IP > Start

On your router:

dumpcap -i eth0 -P -w - -f "ether host 90:b6:86:24:61:86" | nc 10.0.5.2 57012

Where:
eth0 = The interface.vlan you want to capture. Leave the vlan off to capture all vlans and the vlan tags.
eth0.4 = Capture vlan 4 on the first physical ethernet interface.
90:b6:86:24:61:86 = The MAC address of the device you want
10.0.5.2 = The host running NetworkMiner (Do Not capture the traffic you are streaming. Loop)
57012 = the port NetworkMiner is listening on.

Install Grub

Notes for installing Grub on a disk that has already had basic files copied to it. More details

#Dump the Windows key from a PC Motherboard to use in your windows VM after you get linux installed:
tail -c+57 /sys/firmware/acpi/tables/MSDM


#Local Disk Copy with progress indicator, but not verbose file by file detail:
rsync -aSWxHAX --info=progress2 --numeric-ids /source-dir/ /target-dir/



#mount the partitions you use, skip those you do not
sudo mount /dev/sdXY /mnt
sudo mount /dev/sdXY /mnt/boot
sudo mount /dev/sdXY /mnt/boot/efi

#Mount the critical virtual file systems. Run the following as a single command:
for i in /dev /dev/pts /proc /sys /run; do sudo mount -B $i /mnt$i; done

#Chroot into your normal system device:
sudo chroot /mnt

#Reinstall GRUB 2 (substitute the correct device with sda, sdb, etc. 
#Do not specify a partition number):
grub-install /dev/sdX

#Recreate the GRUB 2 menu file (grub.cfg)
update-grub

#Exit chroot: CTRL-D on keyboard

#Reboot.
sudo reboot