forked from cramer/pcapmirror
95 lines
3.0 KiB
Markdown
95 lines
3.0 KiB
Markdown
|
|
# pcapmirror
|
|
|
|
|
|
pcapmirror is a command-line tool for capturing network traffic and mirroring it to a remote destination using [TZSP encapsulation](https://en.wikipedia.org/wiki/TZSP) or [ERSPAN](https://datatracker.ietf.org/doc/html/draft-foschiano-erspan-01). It leverages the `libpcap` library for packet capture and provides options for filtering traffic based on BPF syntax. This tool is useful for network monitoring, intrusion detection, and remote packet analysis.
|
|
|
|
## Usage
|
|
|
|
```bash
|
|
pcapmirror [options]
|
|
```
|
|
|
|
### Options:
|
|
|
|
* -i <interface> Specify the capture interface
|
|
* -f <filter> Specify the capture filter (BPF syntax)
|
|
* -r <host/ipv4/ipv6> Specify the destination host (required)
|
|
* -p <port> Specify the destination port (default: 37008)
|
|
* -e Use ERSPAN encapsulation (default: TZSP)
|
|
* -s <source_ip> Specify the source IP address (required for ERSPAN)
|
|
* -S <session_id> Specify the session ID (default: 42, must be between 0 and 1023)
|
|
* -4 Force IPv4 host lookup
|
|
* -6 Force IPv6 host lookup
|
|
* -l List available network interfaces.
|
|
* -v Enable verbose mode
|
|
* -c Count matching packets (overrides verbose mode)
|
|
* -h Show this help message
|
|
|
|
### Example:
|
|
|
|
To capture traffic on the eth0 interface, filter for TCP port 80, and send it to the destination, use the following command:
|
|
|
|
```bash
|
|
sudo pcapmirror -i eth0 -f "tcp port 80" -r 192.168.1.100 -p 47008 -v
|
|
```
|
|
*Note*: Running pcapmirror typically requires root privileges due to the use of libpcap for capturing network traffic.
|
|
|
|
## Usage with wireshark
|
|
|
|
With this tool, you can mirror traffic directly to a running [Wireshark](https://www.wireshark.org/).
|
|
|
|
To avoid capturing traffic from your own monitoring machine, configure Wireshark with a capture filter of udp port 37008 or udp dst port 37008. Also, verify that your firewall permits this UDP traffic.
|
|
|
|
## Original Download Location
|
|
|
|
[https://git.freestone.net/cramer/pcapmirror](https://git.freestone.net/cramer/pcapmirror)
|
|
|
|
## Packages
|
|
|
|
On the original download location you will also find several prebuilt packages.
|
|
|
|
## Compile and Install
|
|
|
|
### Supported Operating Systems
|
|
Source is tested to build and function on the following operating systems
|
|
|
|
* Debian Linux 12, 13 + unstable (sid)
|
|
* Rocky Linux 8, 9, 10
|
|
* PiOS 12 (bookworm)
|
|
* OpenBSD 7.6, 7.7
|
|
* MacOS 15
|
|
|
|
Compile the program:
|
|
```bash
|
|
make
|
|
```
|
|
|
|
Install the program:
|
|
```bash
|
|
make install
|
|
```
|
|
|
|
This will copy the pcapmirror executable to bin. You may need to adjust the PREFIX variable in the Makefile if you want to install it to a different location.
|
|
|
|
### Dependencies
|
|
libpcap: You need to have libpcap installed on your system. On Debian/Ubuntu systems, you can install it using:
|
|
```bash
|
|
sudo apt-get install libpcap-dev
|
|
```
|
|
|
|
On Fedora/CentOS/RHEL systems, you can install it using:
|
|
```bash
|
|
sudo yum install libpcap-devel
|
|
```
|
|
## Build debian package
|
|
|
|
If you have never built a debian package you probably need debhelper:
|
|
```bash
|
|
sudo apt-get install debhelper
|
|
```
|
|
|
|
Then build the package with this command.
|
|
```bash
|
|
dpkg-buildpackage -uc -us
|
|
``` |