Git Product home page Git Product logo

pcap-broker's Introduction

pcap-broker

pcap-broker is a tool to capture network traffic and make this available to one or more clients via PCAP-over-IP.

PCAP-over-IP can be useful in situations where low latency is a priority, for example during Attack and Defend CTFs. More information on PCAP-over-IP can be found here:

pcap-broker supports the following features:

  • Distributing packet data to one or more PCAP-over-IP listeners
  • Read from stdin pcap data (for example from a tcpdump command)
  • pcap-broker will exit if the capture command exits

Installation

go install github.com/UlisseLab/pcap-broker/cmd/[email protected]

Building

To build pcap-broker:

$ go build ./cmd/pcap-broker
$ ./pcap-broker --help

Or you can build the Docker container:

$ docker build -t pcap-broker .
$ docker run -it pcap-broker --help

Running

$ ./pcap-broker --help
Usage of ./pcap-broker:
  -debug
        enable debug logging
  -json
        enable json logging
  -listen string
        listen address for pcap-over-ip (eg: localhost:4242)

Arguments can be passed via commandline:

$ sudo tcpdump -i eth0 -n --immediate-mode -s 65535 -U -w - | ./pcap-broker -listen :4242

Or alternatively via environment variables:

#!/bin/bash
export LISTEN_ADDRESS=:4242

sudo tcpdump -i eth0 -n --immediate-mode -s 65535 -U -w - | ./pcap-broker

Now you can connect to it via TCP and stream PCAP data using nc and tcpdump:

$ nc -v localhost 4242 | tcpdump -nr -

Or use a tool that natively supports PCAP-over-IP, for example tshark:

$ tshark -i TCP@localhost:4242

Acquiring PCAP data over SSH

One use case is to acquire PCAP from a remote machine over SSH and make this available via PCAP-over-IP.

$ ssh user@remotehost "sudo tcpdump -i eth0 -n --immediate-mode -s 65535 -U -w -" | ./pcap-broker -listen :4242

Tip

To filter out SSH traffic, you can use tcpdump's not port 22 filter:

$ ssh user@remotehost "sudo tcpdump -i eth0 -n --immediate-mode -s 65535 -U -w - not port 22" | ./pcap-broker -listen :4242

Background

This tool was initially written for Attack & Defend CTF purposes but can be useful in other situations where low latency is preferred, or whenever a no-nonsense PCAP-over-IP server is needed. During the CTF that Fox-IT participated in, pcap-broker allowed the Blue Team to capture network data once and disseminate this to other tools that natively support PCAP-over-IP, such as:

  • Arkime
  • Tulip (after we did some custom patches)
  • WireShark's dumpcap and tshark

pcap-broker's People

Contributors

vaiton avatar yunzheng avatar

Stargazers

avatar Domingo Dirutigliano avatar Matteo Cancian avatar Stypox avatar Diego Barbieri avatar

Watchers

Diego Barbieri avatar

pcap-broker's Issues

Parallelize packet sending

Attualmente ogni volta che un pacchetto viene ricevuto questo viene mandato sequenzialmente a tutti gli stream aperti. Il problema è che se l'operazione di send è bloccante (per qualsiasi motivo, e.g. buffer TCP pieno) il loop si ferma e tutti gli altri clienti smettono di ricevere traffico.

Una soluzione potrebbe essere creare una pool di worker con il package ants 1 e ogni volta submittare alla pool un job per inviare ad un SINGOLO client un SINGOLO pacchetto.

Essendo un passaggio per ref (del pacchetto) questo non dovrebbe comportare troppo overhead aggiuntivo. All'interno della coroutine mettere poi dei timeout ed eventualmente chiudere la connessione e liberare le risorse associate.

Un'altra soluzione considerata era quella di una creare coroutine per canale, ma sarebbe necessaria più coordinazione per chiudere i canali.

Footnotes

  1. https://github.com/panjf2000/ants

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.