Skip to content

Home

Jump to bottom
Max Ng edited this page Dec 24, 2020 · 3 revisions

Welcome to the packetcap wiki!

Usage: pcap [options...] [device]
Options: 
  -d list all available network devices on machine
  -f pcap filter string to be used
  -w write packet filter to filename specified
  -r send filtered packet to remote target ipaddr:port using udp tunnel
  -h help menu
  
  device - the local device or interface to enable packet capture

PacketCap uses google/gopacket module for decoding packet with BPF filter and writing captured packet into pcap format file.

"-r" flag allows the captured packet to be send to a remote target using UDP. Possible use-case is for large scale deployment of servers or in containers where filtered traffic needs to be streamed to remote Centralised Monitoring server to have a better understanding what is going in the network. The code basically copy stringified packet.Dump() into the established UDP socket.

Usage Example: pcap -f "ip and udp port 53 and tcp port 53" -r 127.0.0.1:5555 en0

This tells packetcap to capture all traffic that match the filter on interface en0 and send it to remote target 127.0.0.1 on UDP5555. The remote IP can be on a different Virtual Machine, Host machine or even in different network. As UDP is used, the remote can view the stream traffic using a variety of options.

  1. Netcat listening on matching udp port (nc -luv 5555), netcat will terminate and strip the udp and present what is being send. You can also pipe the standard output to file.

  2. Using wireshark tshark to capture on the udp port and save it into a pcap file. The pcap file will show the udp overhead and the data.

  3. Using tcpdump to perform exactly the same as (2) if tshark is not available.

  4. Using wireshark udpdump listener interface and have option to write the stream data into pcap file.

As the capture packet are being send using udp, the udp transport is not encrypted. The stringified data are exposed and possibly face the risk of MITM if send on a remote network. The plan is to add DTLS and gRPC as remote target, so the transport are encrypted. This will also mean the remote end needs to support DTLS and gRPC listener.

Testing has been done on MAC and Linux machine, sending traffic vice versa with netcat, tshark, tcpdump and wireshark udpdump as listener.

Clone this wiki locally