3 releases
0.3.2 | Jul 9, 2019 |
---|---|
0.3.1 | Jul 8, 2019 |
0.3.0 | Jul 8, 2019 |
#7 in #pcap-parser
38KB
714 lines
Snoopy
A highly configurable multi-threaded packet sniffer and parser build in rust-lang.
Features
- Capturing packets and encoding them to Pcap files, or print them onto console.
- While capturing packets, various configuration parameters can be specified.
- Parse Pcap files and print them to console, or extract more verbose information from each packet and store them to JSON file.
- Multi-threaded parsing of packets.
- Filter packets while parsing and capturing.
- Currently supports the following protocols :
- Ethernet
- Ipv4
- Ipv6
- Arp
- Tcp
- Udp
- Dns
- Tls
the Json file is generated like given below :
[{
"Ok": {
"len": 11,
"timestamp": "1234567890.123456",
"headers": [{
"Tls": {
...
}
},
{
"Tcp": {
...
}
}, {
"Ipv4": {
...
}
}, {
"Ether": {
...
}
}
],
"remaining": [...]
}
},
...
]
Installation
Ensure that you have libpcap-dev
(ubuntu) or the corresponding package installed on your system.
Run the following commands in the command line inside the folder :
cargo install snoopy
Quick-Start
To Capture packets and print them onto the console :
➜ sudo snoopy capture run
--------------------
Sniffing wlp3s0
--------------------
Source IP | Source Port | Dest IP | Dest Port | Protocol | Length | Timestamp |
------------------------------------------------------------------------------------------------------------------------------------
52.216.185.195 | 443 | 10.20.197.103 | 38522 | Tcp | 10078 | 1562310108.589373
10.20.197.103 | 38522 | 52.216.185.195 | 443 | Tcp | 54 | 1562310108.589468
52.216.185.195 | 443 | 10.20.197.103 | 38522 | Tcp | 10078 | 1562310108.890490
10.20.197.103 | 38522 | 52.216.185.195 | 443 | Tcp | 54 | 1562310108.890547
52.216.185.195 | 443 | 10.20.197.103 | 38522 | Tcp | 1486 | 1562310109.197739
10.20.197.103 | 38522 | 52.216.185.195 | 443 | Tcp | 54 | 1562310109.197795
52.216.185.195 | 443 | 10.20.197.103 | 38522 | Tcp | 1486 | 1562310109.197841
10.20.197.103 | 38522 | 52.216.185.195 | 443 | Tcp | 66 | 1562310109.197865
52.216.185.195 | 443 | 10.20.197.103 | 38522 | Tcp | 2918 | 1562310109.197887
10.20.197.103 | 38522 | 52.216.185.195 | 443 | Tcp | 74 | 1562310109.197906
52.216.185.195 | 443 | 10.20.197.103 | 38522 | Tcp | 1486 | 1562310109.197965
10.20.197.103 | 38522 | 52.216.185.195 | 443 | Tcp | 74 | 1562310109.197984
35.154.102.71 | 443 | 10.20.197.103 | 56572 | Tls | 160 | 1562310109.262324
10.20.197.103 | 56572 | 35.154.102.71 | 443 | Tcp | 66 | 1562310109.262383
Capture packets and save them to Pcap files :
➜ sudo snoopy capture run --timeout 10000 --savefile captured.pcap
Note: For capturing packets the user needs root user permissions to capture network packets.
Parse Pcap files and print to console:
➜ snoopy parse ./Sample/captured.pcap
Parse Pcap files and print to console (with filters):
➜ snoopy parse ./Sample/captured.pcap --filter "tcp port 443"
The above command will print all TCP packets with source/destination port 443.
Parse Pcap files and save to JSON file:
➜ snoopy parse ./Sample/captured.pcap --savefile ./parsed.json
Documentation
All commands and sub-commands are listed below :
USAGE:
snoopy [SUBCOMMAND]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
SUBCOMMANDS:
capture Capture packets from interfaces.
help Prints this message or the help of the given subcommand(s)
parse Parse pcap files.
USAGE:
snoopy capture [SUBCOMMAND]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
SUBCOMMANDS:
help Prints this message or the help of the given subcommand(s)
list List all interfaces.
run Start capturing packets.
USAGE:
snoopy capture run [FLAGS] [OPTIONS]
FLAGS:
-h, --help Prints help information
-p, --promisc Set promiscuous mode on or off. By default, this is off.
-r, --rfmon Set rfmon mode on or off. The default is maintained by pcap.
-V, --version Prints version information
OPTIONS:
-b, --buffer_size <buffer_size> Set the buffer size for incoming packet data. The default is 1000000. This should
always be larger than the snaplen.
--handle <device_handle> Specify the device interface
-f, --filter <filter> Set filter to the capture using the given BPF program string.
--precision <precision> Set the time stamp precision returned in captures (Micro/Nano).
--savefile <savefile> Save the captured packets to file.
-s, --snaplen <snaplen> Set the snaplen size (the maximum length of a packet captured into the buffer).
Useful if you only want certain headers, but not the entire packet.The default is
65535.
-t, --timeout <timeout> Set the read timeout for the Capture. By default, this is 0, so it will block
indefinitely.
--tstamp_type <tstamp_type> Set the time stamp type to be used by a capture device (Host / HostLowPrec /
HostHighPrec / Adapter / AdapterUnsynced).
USAGE:
snoopy parse [OPTIONS] <file_name>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-f, --filter <filter> Set filter to the capture using the given BPF program string.
-s, --savefile <savefile> Parse the packets into JSON and save them to memory.
ARGS:
<file_name>
Note: The filters can be defined according to the syntax specified here.
Docker
Run the following commands in the command line inside the folder :
docker build -t snoopy .
docker container run -it snoopy
Build
Run the following command in the command line inside the folder :
cargo build
Todo
- Benchmarking
- Support for other protocols
License
This project is under the MIT license.
Dependencies
~6.5MB
~100K SLoC