Tool for Passive Network Monitoring
-
I have developed a tool "mydump.go" which can be used as Passive network monitoring application. It is written in Go programming language using gopacket libraries.
-
It captures traffic in Promiscuous mode which allows the network device to intercept and read each network packet.
-
Implementaion:
A. For Offline mode, the program reads the pcap file using "pcap.OpenOffline(pcapFile)" which returns a handle. B. For Live mode, the program captures the network traffic using "pcap.OpenLive(device, snapshot_len, promiscuous, timeout)" which return a handle. C. After extracting the handle, both the modes extract packetSource from gopacket.NewPacketSource(handle, handle.LinkType()) ,i.e. a library of gopacket. D. Then it parses the packetSource for individual packet and apply required filters(pattern matching,BPFFilter) and prints the processed output.
- Usage of mydump.go: sudo go run mydump.go [-i ens33] [-r "default"] [-s ""] tcp -i string a interface string (default "ens33") -r string offline file path string (default "default") -s string packet pattern string
The mentioned parameters' values are the default values. "ens33": It is the first interface device recognized by the program which can change for different machines. "offline.pcap": It is the pcap file where we have already dumped the network logs and packets. We are parsing this file in offline mode. By default the value is "default" for this parameter. -s "": The default pattern is the empty string which means the program will fetch all the packets. "tcp": This is being used as BPF Filter string.
- Output Examples:
A. Using default parameter values:
sudo go run mydump.go
...listening on ens33 2021-03-12 19:12:25.377455 00:0c:29:85:7e:1b -> 00:50:56:ed:40:61 type 0x800 len 78 192.168.86.128:38056 -> 184.24.151.145:443(https) TCP PSH ACK 00000000 45 00 00 40 98 09 40 00 40 06 3b dc c0 a8 56 80 |E..@..@.@.;...V.| 00000010 b8 18 97 91 94 a8 01 bb 37 7e ee 94 47 44 90 47 |........7~..GD.G| 00000020 50 18 ff ff 67 05 00 00 17 03 03 00 13 da 59 2c |P...g.........Y,| 00000030 fc 8a 80 c5 16 0b b3 ed 64 29 ae 4d 94 e0 81 7a |........d).M...z|
B. Using different interface device (lo):
sudo go run mydump.go -i lo
...listening on lo 2021-03-12 19:15:18.900622 00:00:00:00:00:00 -> 00:00:00:00:00:00 type 0x800 len 96 127.0.0.1:50286 -> 127.0.0.53:53(domain) UDP 00000000 45 00 00 52 22 da 40 00 40 11 19 8b 7f 00 00 01 |E..R".@.@.......| 00000010 7f 00 00 35 c4 6e 00 35 00 3e fe 85 68 ab 01 00 |...5.n.5.>..h...| 00000020 00 01 00 00 00 00 00 01 06 76 6f 72 74 65 78 04 |.........vortex.| 00000030 64 61 74 61 09 6d 69 63 72 6f 73 6f 66 74 03 63 |data.microsoft.c| 00000040 6f 6d 00 00 01 00 01 00 00 29 04 00 00 00 00 00 |om.......)......| 00000050 00 00
C. Reading the offline file(offline.pcap) with BPF filter(tcp and port 443)
sudo go run mydump.go -i ens33 -r offline.pcap tcp and port 443
2013-01-12 14:35:49.724737 c4:3d:c7:17:6f:9b -> 00:0c:29:e9:94:8e type 0x800 len 171 122.154.101.54:39437 -> 192.168.0.200:443(https) TCP PSH ACK 00000000 45 00 00 9d 6b 0f 40 00 2c 06 42 0b 7a 9a 65 36 |E...k.@.,.B.z.e6| 00000010 c0 a8 00 c8 9a 0d 01 bb 84 a0 00 fd db c2 57 d3 |..............W.| 00000020 80 18 00 2e 13 ad 00 00 01 01 08 0a 08 75 79 36 |.............uy6| 00000030 00 32 35 1a 80 67 01 03 01 00 4e 00 00 00 10 00 |.25..g....N.....| 00000040 00 39 00 00 38 00 00 35 00 00 16 00 00 13 00 00 |.9..8..5........| 00000050 0a 07 00 c0 00 00 33 00 00 32 00 00 2f 03 00 80 |......3..2../...| 00000060 00 00 05 00 00 04 01 00 80 00 00 15 00 00 12 00 |................| 00000070 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00 |....@...........| 00000080 06 04 00 80 00 00 03 02 00 80 00 00 ff 0d 21 3b |..............!;| 00000090 d5 b5 7b 08 01 50 0d c5 a5 c2 c1 af 38 |..{..P......8|
D. Again in offline mode, Filtering and printing the packets which contains the pattern(HTTP).
sudo go run mydump.go -i ens33 -r offline.pcap -s HTTP
2013-01-14 13:26:42.610532 c4:3d:c7:17:6f:9b -> 01:00:5e:7f:ff:fa type 0x800 len 405 192.168.0.1:1900(ssdp) -> 239.255.255.250:1900(ssdp) UDP 00000000 45 00 01 87 57 c3 00 00 01 11 af ff c0 a8 00 01 |E...W...........| 00000010 ef ff ff fa 07 6c 07 6c 01 73 1f 78 4e 4f 54 49 |.....l.l.s.xNOTI| 00000020 46 59 20 2a 20 48 54 54 50 2f 31 2e 31 0d 0a 48 |FY * HTTP/1.1..H| 00000030 6f 73 74 3a 20 32 33 39 2e 32 35 35 2e 32 35 35 |ost: 239.255.255| 00000040 2e 32 35 30 3a 31 39 30 30 0d 0a 43 61 63 68 65 |.250:1900..Cache| 00000050 2d 43 6f 6e 74 72 6f 6c 3a 20 6d 61 78 2d 61 67 |-Control: max-ag| 00000060 65 3d 36 30 0d 0a 4c 6f 63 61 74 69 6f 6e 3a 20 |e=60..Location: | 00000070 68 74 74 70 3a 2f 2f 31 39 32 2e 31 36 38 2e 30 |http://192.168.0| 00000080 2e 31 3a 31 39 30 30 2f 57 46 41 44 65 76 69 63 |.1:1900/WFADevic| 00000090 65 2e 78 6d 6c 0d 0a 4e 54 53 3a 20 73 73 64 70 |e.xml..NTS: ssdp| 000000a0 3a 61 6c 69 76 65 0d 0a 53 65 72 76 65 72 3a 20 |:alive..Server: | 000000b0 50 4f 53 49 58 2c 20 55 50 6e 50 2f 31 2e 30 20 |POSIX, UPnP/1.0 | 000000c0 42 72 6f 61 64 63 6f 6d 20 55 50 6e 50 20 53 74 |Broadcom UPnP St| 000000d0 61 63 6b 2f 65 73 74 69 6d 61 74 69 6f 6e 20 31 |ack/estimation 1| 000000e0 2e 30 30 0d 0a 4e 54 3a 20 75 72 6e 3a 73 63 68 |.00..NT: urn:sch| 000000f0 65 6d 61 73 2d 77 69 66 69 61 6c 6c 69 61 6e 63 |emas-wifiallianc| 00000100 65 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 46 |e-org:service:WF| 00000110 41 57 4c 41 4e 43 6f 6e 66 69 67 3a 31 0d 0a 55 |AWLANConfig:1..U| 00000120 53 4e 3a 20 75 75 69 64 3a 46 35 31 39 33 39 30 |SN: uuid:F519390| 00000130 41 2d 34 34 44 44 2d 32 39 35 38 2d 36 32 33 37 |A-44DD-2958-6237| 00000140 2d 45 41 33 37 42 39 38 37 43 33 46 44 3a 3a 75 |-EA37B987C3FD::u| 00000150 72 6e 3a 73 63 68 65 6d 61 73 2d 77 69 66 69 61 |rn:schemas-wifia| 00000160 6c 6c 69 61 6e 63 65 2d 6f 72 67 3a 73 65 72 76 |lliance-org:serv| 00000170 69 63 65 3a 57 46 41 57 4c 41 4e 43 6f 6e 66 69 |ice:WFAWLANConfi| 00000180 67 3a 31 0d 0a 0d 0a