The tool is fairly small, it has only 3 messages and one service consisting of two functions. Writing Proto3 services file will enable developers to auto-generate clients for any language supported by gRPC without writing the actual code. GRPC uses Proto3 (Protocol Buffers) language to describe the services that will be implemented in the server and client. Two main libraries are used to achieve the goal, GoPacket as a packet processing library and gRPC for sending the serialized packets to a remote destination. Python has also strong packet processing packages, but will be a challenge to run a python script on a remote machine with out going through compiling python script into exe file. Golang programming language has a robust packet processing libraries called GoPacket, in addition it’s a compiled language and that makes it perfect as a start. The tools idea is simple, any library that provide full packet capture feature can be used to stream the packets after performing some sort of serialization. Arkime full packet capture platform support at the collector server.Capture stops by condition based on number of packet or size.Collector server to receive the packets from the agent.
The tool is intended be to used mainly for capturing traffic from compromised machines or for troubleshooting remote servers as soon as the agent is executed. Tools that monitor traffic and send aggregated logs are not useful in cases where full packet data is required for deep analysis or file extraction. However, when it comes to a quick way to get PCAP from a remote host, it becomes a tedious task with many manual configuration to be set before receiving the first packet. Most of the existing methods approach the problem from an engineering prospective for reliable and permanent full packet capture solution. There are ways to configure full packet capture nodes to capture and send the traffic to a master collector, however the goal is a host based collection for cloud servers or temporary capture for incident response or network troubleshooting. I have been in situation where I needed a quick way to capture and send traffic at the same time. Tool such as TCPDump captures full packet data and store to desk, it doesn’t provide a way to capture and stream the packets to a remote destination.
0 kommentar(er)
