Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add PCAP-over-IP support #464

Open
mmguero opened this issue Nov 5, 2024 · 0 comments
Open

Add PCAP-over-IP support #464

mmguero opened this issue Nov 5, 2024 · 0 comments
Labels
capture Relating to pcap-capture container enhancement New feature or request

Comments

@mmguero
Copy link
Collaborator

mmguero commented Nov 5, 2024

@mmguero cloned issue idaholab/Malcolm#255 on 2023-09-06:

Submitted by @erik4711 as #278

💡 Summary

Add support for PCAP-over-IP (aka PcapOverTcp) to allow Malcolm to read a continuous PCAP stream of network traffic from a remote machine. This feature also enables reading decrypted TLS traffic from a TLS inspection proxy.

Motivation and context

Individual tools that handle PCAP files or network traffic have support for reading PCAP-over-IP. There is for example a Zeek plugin Zeek::PcapOverTcp, which can read PCAP data from a remote sniffer or a TLS decryption proxy. However, it would be helpful if Malcolm would support reading PCAP-over-IP centrally, and then provide that PCAP data to installed tools like Suricata and Zeek.

There is support for pcapReadMethod=pcap-over-ip-client and pcapReadMethod=pcap-over-ip-server in Arkime, which might be of help here.

There are a few less desirable workarounds for reading remote PCAP data into Malcolm, such as using sftp to copy pcap data into Malcolm.

Implementation notes

A desired implementation would be a service that either listens on a TCP port for incoming PCAP-over-IP connections, or a client that actively connects to an IP:PORT to read PCAP-over-IP data. The received pcap/libpcap data should be expected to be compliant with the PCAP file format , not PcapNG.

Acceptance criteria

A simple test case would be to make a PCAP file available to Malcolm via a local netcat listener like this:

nc -l 57012 < sniffed.pcap

If Malcolm can read and import the packets in sniffed.pcap via the netcat listener, then we've succeeded.

A more advanced test would be to have Malcolm read decrypted TLS traffic from PolarProxy, which is started with --pcapoverip 57012 or --pcapoveripconnect <Malcolm-IP>:57012.

@mmguero mmguero added capture Relating to pcap-capture container enhancement New feature or request labels Nov 5, 2024
@mmguero mmguero added this to Malcolm Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
capture Relating to pcap-capture container enhancement New feature or request
Projects
Status: No status
Development

No branches or pull requests

1 participant