Deepfence PacketStreamer is a high-performance distant packet seize and assortment instrument. It’s utilized by Deepfence’s ThreatStryker safety observability platform to collect community site visitors on demand from cloud workloads for forensic evaluation.
Major design objectives:
- Keep gentle, seize and stream, no further processing
- Portability, works throughout digital machines, Kubernetes and AWS Fargate. Linux and Home windows
PacketStreamer sensors are began on the goal servers. Sensors seize site visitors, apply filters, after which stream the site visitors to a central reciever. Site visitors streams could also be compressed and/or encrypted utilizing TLS.
The PacketStreamer receiver accepts PacketStreamer streams from a number of distant sensors, and writes the packets to a neighborhood pcap seize file
PacketStreamer sensors accumulate uncooked community packets on distant hosts. It selects packets to seize utilizing a BPF filter, and forwards them to a central reciever course of the place they’re written in pcap format. Sensors are very light-weight and impose little efficiency affect on the distant hosts. PacketStreamer sensors might be run on bare-metal servers, on Docker hosts, and on Kubernetes nodes.
The PacketStreamer receiver accepts community site visitors from a number of sensors, gathering it right into a single, central pcap file. You’ll be able to then course of the pcap file or stay feed the site visitors to the tooling of your selection, similar to Zeek, Wireshark Suricata, or as a stay stream for Machine Studying fashions.
When to make use of PacketStreamer
PacketStreamer meets extra basic use instances than present alternate options. For instance, PacketBeat captures and parses the packets on a number of distant hosts, assembles transactions, and ships the processed information to a central ElasticSearch collector. ksniff captures uncooked packet information from a single Kubernetes pod.
Use PacketStreamer in the event you want a light-weight, environment friendly methodology to gather uncooked community information from a number of machines for central logging and evaluation.
Fast Begin
For full directions, confer with the PacketStreamer Documentation.
You’ll need to put in the golang toolchain and libpcap-dev earlier than constructing PacketStreamer.
# Pre-requisites (Ubuntu): sudo apt set up golang-go libpcap-dev
git clone https://github.com/deepfence/PacketStreamer.git
cd PacketStreamer/
makeRun a PacketStreamer receiver, listening on port 8081 and writing pcap output to /tmp/dump_file (see receiver.yaml):
./packetstreamer receiver --config ./contrib/config/receiver.yamlRun a number of PacketStreamer sensors on native and distant hosts. Edit the server handle in sensor.yaml:
# run on the goal hosts to seize and ahead site visitors# copy and edit the pattern sensor-local.yaml file, and add the handle of the receiver host
cp ./contrib/config/sensor-local.yaml ./contrib/config/sensor.yaml
./packetstreamer sensor --config ./contrib/config/sensor.yaml
Who makes use of PacketStreamer?
Get in contact
Thanks for utilizing PacketStreamer.
- Begin with the documentation
- Acquired a query, want some assist? Discover the Deepfence group on Slack
- Acquired a characteristic request or discovered a bug? Elevate a problem
- productsecurity at deepfence dot io: Discovered a safety situation? Share it in confidence
- Discover out extra at deepfence.io
Safety and Help
For any security-related points within the PacketStreamer challenge, contact productsecurity at deepfence dot io.
Please file GitHub points as wanted, and be part of the Deepfence Group Slack channel.
License
The Deepfence PacketStreamer challenge (this repository) is obtainable beneath the Apache2 license.
Contributions to Deepfence PacketStreamer challenge are equally accepted beneath the Apache2 license, as per GitHub’s inbound=outbound coverage.
