Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add PCAP-over-IP support #255

Closed
mmguero opened this issue Sep 6, 2023 · 1 comment
Closed

Add PCAP-over-IP support #255

mmguero opened this issue Sep 6, 2023 · 1 comment
Labels
capture Relating to pcap-capture container enhancement New feature or request

Comments

@mmguero
Copy link
Collaborator

mmguero commented Sep 6, 2023

Submitted by @erik4711 as cisagov#278

💡 Summary

Add support for PCAP-over-IP (aka PcapOverTcp) to allow Malcolm to read a continuous PCAP stream of network traffic from a remote machine. This feature also enables reading decrypted TLS traffic from a TLS inspection proxy.

Motivation and context

Individual tools that handle PCAP files or network traffic have support for reading PCAP-over-IP. There is for example a Zeek plugin Zeek::PcapOverTcp, which can read PCAP data from a remote sniffer or a TLS decryption proxy. However, it would be helpful if Malcolm would support reading PCAP-over-IP centrally, and then provide that PCAP data to installed tools like Suricata and Zeek.

There is support for pcapReadMethod=pcap-over-ip-client and pcapReadMethod=pcap-over-ip-server in Arkime, which might be of help here.

There are a few less desirable workarounds for reading remote PCAP data into Malcolm, such as using sftp to copy pcap data into Malcolm.

Implementation notes

A desired implementation would be a service that either listens on a TCP port for incoming PCAP-over-IP connections, or a client that actively connects to an IP:PORT to read PCAP-over-IP data. The received pcap/libpcap data should be expected to be compliant with the PCAP file format , not PcapNG.

Acceptance criteria

A simple test case would be to make a PCAP file available to Malcolm via a local netcat listener like this:
nc -l 57012 < sniffed.pcap

If Malcolm can read and import the packets in sniffed.pcap via the netcat listener, then we've succeeded.

A more advanced test would be to have Malcolm read decrypted TLS traffic from PolarProxy, which is started with --pcapoverip 57012 or --pcapoveripconnect <Malcolm-IP>:57012.

@mmguero mmguero added capture Relating to pcap-capture container enhancement New feature or request labels Sep 6, 2023
@mmguero mmguero added this to Malcolm Sep 6, 2023
@mmguero mmguero moved this to Todo (design) in Malcolm Sep 6, 2023
@mmguero mmguero moved this from Todo (design) to Todo (spike) in Malcolm Sep 6, 2023
@mmguero mmguero added this to the z.staging milestone Mar 27, 2024
@mmguero mmguero removed this from the z.staging milestone May 15, 2024
@mmguero
Copy link
Collaborator Author

mmguero commented Nov 5, 2024

Kamino closed and cloned this issue to cisagov/Malcolm

@mmguero mmguero closed this as completed Nov 5, 2024
@github-project-automation github-project-automation bot moved this from Todo (investigate) to Done in Malcolm Nov 5, 2024
@mmguero mmguero moved this from Done to Migrated in Malcolm Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
capture Relating to pcap-capture container enhancement New feature or request
Projects
Status: Migrated
Development

No branches or pull requests

1 participant