FreeStone/pcapmirror-test
1
0
Fork 0
forked from cramer/pcapmirror
Code Issues Pull Requests Actions Packages Releases Wiki Activity
Files
626b379a547d2ca4981d680687153483bd2c63e4
pcapmirror-test/README.md
Matthias Cramer c202697f7b ERSPAN RELEASE
2025-04-20 16:53:26 +02:00

3.0 KiB
Raw Blame History

pcapmirror

pcapmirror logo

pcapmirror is a command-line tool for capturing network traffic and mirroring it to a remote destination using TZSP encapsulation or ERSPAN. It leverages the libpcap library for packet capture and provides options for filtering traffic based on BPF syntax. This tool is useful for network monitoring, intrusion detection, and remote packet analysis.

Usage

pcapmirror [options]

Options:

  • -i Specify the capture interface
  • -f Specify the capture filter (BPF syntax)
  • -r <host/ipv4/ipv6> Specify the destination host (required)
  • -p Specify the destination port (default: 37008)
  • -e Use ERSPAN encapsulation (default: TZSP)
  • -s <source_ip> Specify the source IP address (required for ERSPAN)
  • -S <session_id> Specify the session ID (default: 42, must be between 0 and 1023)
  • -4 Force IPv4 host lookup
  • -6 Force IPv6 host lookup
  • -l List available network interfaces.
  • -v Enable verbose mode
  • -c Count matching packets (overrides verbose mode)
  • -h Show this help message

Example:

To capture traffic on the eth0 interface, filter for TCP port 80, and send it to the destination, use the following command:

sudo pcapmirror -i eth0 -f "tcp port 80" -r 192.168.1.100 -p 47008 -v

Note: Running pcapmirror typically requires root privileges due to the use of libpcap for capturing network traffic.

Usage with wireshark

With this tool, you can mirror traffic directly to a running Wireshark.

To avoid capturing traffic from your own monitoring machine, configure Wireshark with a capture filter of udp port 37008 or udp dst port 37008. Also, verify that your firewall permits this UDP traffic.

Original Download Location

https://git.freestone.net/cramer/pcapmirror

Packages

On the original download location you will also find several prebuilt packages.

Compile and Install

Supported Operating Systems

Source is tested to build and function on the following operating systems

  • Debian Linux 12 + unstable (sid)
  • Rocky Linux 8 + 9
  • PiOS 12 (bookworm)
  • OpenBSD 7.6
  • MacOS 15

Compile the program:

make

Install the program:

make install

This will copy the pcapmirror executable to bin. You may need to adjust the PREFIX variable in the Makefile if you want to install it to a different location.

Dependencies

libpcap: You need to have libpcap installed on your system. On Debian/Ubuntu systems, you can install it using:

sudo apt-get install libpcap-dev

On Fedora/CentOS/RHEL systems, you can install it using:

sudo yum install libpcap-devel

Build debian package

If you have never built a debian package you probably need debhelper:

sudo apt-get install debhelper

Then build the package with this command.

dpkg-buildpackage -uc -us