README
¶
bloodhound
An extensible packet sniffer application that can filter and monitor network traffic. It also has capabilities of producing alerts.
Dependencies
Operating System Dependencies
Depending on the operating system, the install instructions will be different.
- libpcap for monitoring network traffic on the operating system
Go Dependencies
The below dependencies are managed by the Godeps and will require godeps to be installed. Please see the Godep installation for more instructions.
- gopacket for packet sniffing
- ginkgo for BDD style tests
- gomega for matchers used to create assertions in gingko
Documentation
Running the application
Running the application with the below command will require building it in this section.
Note: the sudo may be required to allow the application to listen to the specified network interface.
sudo ./bloodhound
Flags
Some flags that can be used to customize the application at runtime.
# network flags
- interface - Network interface to listen for packets
- default: "en0"
- protocol - Protocol to listen for packets
- default: "tcp"
- port - Port to listen to for packets
- default: "80"
# monitoring and alerting flags
- monitor - Monitoring duration in seconds to which to send a summary
- default: 10
- duration - Duration in seconds that
- default: 30
- traffic - Traffic amount that should trigger an alert
- default: 100
Building
Run the below command in the
godep go build
Running tests
Run the below command in the directory of the top most directory of the project.
godep go test ./...
Design
Below are some of the extensible components, namely interfaces and what their responsibilities are. Under each component are a list of pre-existing components that implements the respective interface.
Interfaces and Implementations
Components that can be extended or customized to be used in the application.
TrafficFilterdecides what messages to filter out and keepHTTPTrafficFilterfilters all traffic that are not HTTP traffic
Monitormonitors trafficTrafficMonitorgenerates statistical summaries for traffic received and sent
Alertevaluates whether an event surpasses the threshold or reverts to normalTotalTrafficAlertkeeps track of the total number of events in a given time window
Notificationthat determines when to alertConsoleNotificationalerts to the console
Domain Messages
Messages that are passed from one component to another.
Eventrepresents a network event with fields such as status, payload, sender, destination, etcTrafficStatisticshas fields for different traffic statistics such as average payload size and total payload size
Application
Application that listens to network traffic and passes it through a filter, a monitor, a threshold, and eventually an alert if traffic surpasses the threshold.
Applicationis composed of the different interfaces, namely theTrafficFilter,Monitor,Alert, andNotificationto allow custom components to filter for relevant traffic, monitor the filtered traffic, and alert when when the traffic surpasses some threshold
License
bloodhound is released under the MIT License.
Documentation
¶
There is no documentation for this package.
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
Godeps
|
|
|
_workspace/src/github.com/google/gopacket
Package gopacket provides packet decoding for the Go language.
|
Package gopacket provides packet decoding for the Go language. |
|
_workspace/src/github.com/google/gopacket/afpacket
Package afpacket provides Go bindings for MMap'd AF_PACKET socket reading.
|
Package afpacket provides Go bindings for MMap'd AF_PACKET socket reading. |
|
_workspace/src/github.com/google/gopacket/bytediff
Package bytediff provides a simple diff utility for looking at differences in byte slices.
|
Package bytediff provides a simple diff utility for looking at differences in byte slices. |
|
_workspace/src/github.com/google/gopacket/dumpcommand
Package dumpcommand implements a run function for pfdump and pcapdump with many similar flags/features to tcpdump.
|
Package dumpcommand implements a run function for pfdump and pcapdump with many similar flags/features to tcpdump. |
|
_workspace/src/github.com/google/gopacket/examples/arpscan
arpscan implements ARP scanning of all interfaces' local networks using gopacket and its subpackages.
|
arpscan implements ARP scanning of all interfaces' local networks using gopacket and its subpackages. |
|
_workspace/src/github.com/google/gopacket/examples/bidirectional
This binary provides an example of connecting up bidirectional streams from the unidirectional streams provided by gopacket/tcpassembly.
|
This binary provides an example of connecting up bidirectional streams from the unidirectional streams provided by gopacket/tcpassembly. |
|
_workspace/src/github.com/google/gopacket/examples/bytediff
This binary shows how to display byte differences to users via the bytediff library.
|
This binary shows how to display byte differences to users via the bytediff library. |
|
_workspace/src/github.com/google/gopacket/examples/httpassembly
This binary provides sample code for using the gopacket TCP assembler and TCP stream reader.
|
This binary provides sample code for using the gopacket TCP assembler and TCP stream reader. |
|
_workspace/src/github.com/google/gopacket/examples/pcapdump
The pcapdump binary implements a tcpdump-like command line tool with gopacket using pcap as a backend data collection mechanism.
|
The pcapdump binary implements a tcpdump-like command line tool with gopacket using pcap as a backend data collection mechanism. |
|
_workspace/src/github.com/google/gopacket/examples/pfdump
The pfdump binary implements a tcpdump-like command line tool with gopacket using pfring as a backend data collection mechanism.
|
The pfdump binary implements a tcpdump-like command line tool with gopacket using pfring as a backend data collection mechanism. |
|
_workspace/src/github.com/google/gopacket/examples/statsassembly
This binary provides sample code for using the gopacket TCP assembler raw, without the help of the tcpreader library.
|
This binary provides sample code for using the gopacket TCP assembler raw, without the help of the tcpreader library. |
|
_workspace/src/github.com/google/gopacket/examples/synscan
synscan implements a TCP syn scanner on top of pcap.
|
synscan implements a TCP syn scanner on top of pcap. |
|
_workspace/src/github.com/google/gopacket/examples/util
Package util provides shared utilities for all gopacket examples.
|
Package util provides shared utilities for all gopacket examples. |
|
_workspace/src/github.com/google/gopacket/layers
Package layers provides decoding layers for many common protocols.
|
Package layers provides decoding layers for many common protocols. |
|
_workspace/src/github.com/google/gopacket/macs
Package macs provides an in-memory mapping of all valid Ethernet MAC address prefixes to their associated organization.
|
Package macs provides an in-memory mapping of all valid Ethernet MAC address prefixes to their associated organization. |
|
_workspace/src/github.com/google/gopacket/pcap
Package pcap allows users of gopacket to read packets off the wire or from pcap files.
|
Package pcap allows users of gopacket to read packets off the wire or from pcap files. |
|
_workspace/src/github.com/google/gopacket/pcap/gopacket_benchmark
This benchmark reads in file <tempdir>/gopacket_benchmark.pcap and measures the time it takes to decode all packets from that file.
|
This benchmark reads in file <tempdir>/gopacket_benchmark.pcap and measures the time it takes to decode all packets from that file. |
|
_workspace/src/github.com/google/gopacket/pcapgo
Package pcapgo provides some native PCAP support, not requiring C libpcap to be installed.
|
Package pcapgo provides some native PCAP support, not requiring C libpcap to be installed. |
|
_workspace/src/github.com/google/gopacket/pfring
Package pfring wraps the PF_RING C library for Go.
|
Package pfring wraps the PF_RING C library for Go. |
|
_workspace/src/github.com/google/gopacket/routing
Package routing provides a very basic but mostly functional implementation of a routing table for IPv4/IPv6 addresses.
|
Package routing provides a very basic but mostly functional implementation of a routing table for IPv4/IPv6 addresses. |
|
_workspace/src/github.com/google/gopacket/tcpassembly
Package tcpassembly provides TCP stream re-assembly.
|
Package tcpassembly provides TCP stream re-assembly. |
|
_workspace/src/github.com/google/gopacket/tcpassembly/tcpreader
Package tcpreader provides an implementation for tcpassembly.Stream which presents the caller with an io.Reader for easy processing.
|
Package tcpreader provides an implementation for tcpassembly.Stream which presents the caller with an io.Reader for easy processing. |
|
_workspace/src/github.com/onsi/ginkgo
Ginkgo is a BDD-style testing framework for Golang The godoc documentation describes Ginkgo's API.
|
Ginkgo is a BDD-style testing framework for Golang The godoc documentation describes Ginkgo's API. |
|
_workspace/src/github.com/onsi/ginkgo/config
Ginkgo accepts a number of configuration options.
|
Ginkgo accepts a number of configuration options. |
|
_workspace/src/github.com/onsi/ginkgo/ginkgo
The Ginkgo CLI The Ginkgo CLI is fully documented [here](http://onsi.github.io/ginkgo/#the_ginkgo_cli) You can also learn more by running: ginkgo help Here are some of the more commonly used commands: To install: go install github.com/onsi/ginkgo/ginkgo To run tests: ginkgo To run tests in all subdirectories: ginkgo -r To run tests in particular packages: ginkgo <flags> /path/to/package /path/to/another/package To pass arguments/flags to your tests: ginkgo <flags> <packages> -- <pass-throughs> To run tests in parallel ginkgo -nodes=N where N is the number of nodes.
|
The Ginkgo CLI The Ginkgo CLI is fully documented [here](http://onsi.github.io/ginkgo/#the_ginkgo_cli) You can also learn more by running: ginkgo help Here are some of the more commonly used commands: To install: go install github.com/onsi/ginkgo/ginkgo To run tests: ginkgo To run tests in all subdirectories: ginkgo -r To run tests in particular packages: ginkgo <flags> /path/to/package /path/to/another/package To pass arguments/flags to your tests: ginkgo <flags> <packages> -- <pass-throughs> To run tests in parallel ginkgo -nodes=N where N is the number of nodes. |
|
_workspace/src/github.com/onsi/ginkgo/ginkgo/support/fsnotify
Package fsnotify implements filesystem notification.
|
Package fsnotify implements filesystem notification. |
|
_workspace/src/github.com/onsi/ginkgo/internal/remote
Aggregator is a reporter used by the Ginkgo CLI to aggregate and present parallel test output coherently as tests complete.
|
Aggregator is a reporter used by the Ginkgo CLI to aggregate and present parallel test output coherently as tests complete. |
|
_workspace/src/github.com/onsi/ginkgo/reporters
Ginkgo's Default Reporter A number of command line flags are available to tweak Ginkgo's default output.
|
Ginkgo's Default Reporter A number of command line flags are available to tweak Ginkgo's default output. |
|
_workspace/src/github.com/onsi/gomega
Gomega is the Ginkgo BDD-style testing framework's preferred matcher library.
|
Gomega is the Ginkgo BDD-style testing framework's preferred matcher library. |
|
_workspace/src/github.com/onsi/gomega/format
Gomega's format package pretty-prints objects.
|
Gomega's format package pretty-prints objects. |
|
_workspace/src/github.com/onsi/gomega/gbytes
Package gbytes provides a buffer that supports incrementally detecting input.
|
Package gbytes provides a buffer that supports incrementally detecting input. |
|
_workspace/src/github.com/onsi/gomega/gexec
Package gexec provides support for testing external processes.
|
Package gexec provides support for testing external processes. |
|
_workspace/src/github.com/onsi/gomega/ghttp
Package ghttp supports testing HTTP clients by providing a test server (simply a thin wrapper around httptest's server) that supports registering multiple handlers.
|
Package ghttp supports testing HTTP clients by providing a test server (simply a thin wrapper around httptest's server) that supports registering multiple handlers. |
|
_workspace/src/github.com/onsi/gomega/ghttp/protobuf
Package protobuf is a generated protocol buffer package.
|
Package protobuf is a generated protocol buffer package. |
|
_workspace/src/github.com/onsi/gomega/matchers
Gomega matchers This package implements the Gomega matchers and does not typically need to be imported.
|
Gomega matchers This package implements the Gomega matchers and does not typically need to be imported. |
Click to show internal directories.
Click to hide internal directories.