Packémon

Packet monster, or Packémon for short! (っ‘-’)╮=͟͟͞͞◒ ヽ( '-'ヽ) <br>

<!--  --> <!-- https://github.com/user-attachments/assets/dbb0baeb-a0b8-4e18-8647-ac05020f83d5 --> <!-- https://github.com/user-attachments/assets/69dc501d-8ffd-484a-90e2-dffa0fab373e -->

https://github.com/user-attachments/assets/08f96575-7aca-47e7-bdeb-6705ce2bbaba

TUI tool for generating packets of arbitrary input and monitoring packets on any network interfaces (default: eth0). The list of interfaces to be specified is output when packemon interfaces is run.<br> This tool works on Windows, macOS, and Linux.<br>

This TUI tool is now available on macOS because of cluster2600 support. Thanks🎉!

I intend to develop it patiently🌴

The images of Packemon on REDME should be used as reference only, as they may look different from the actual Packemon.

[!WARNING] This tool is implemented with protocol stacks from scratch and utilizes raw socket.</br> There may be many bugs. If you find a bug, I would be glad if you raise an issue or give me a pull request!

Feature - Overview

This TUI tool has two major functions: packet generation and packet monitoring.

|Generated DNS query <br>and Recieved response| Displayed DNS response detail|Filtered packets| |--|--|--| ||||

This image shows packemon running in Generator / Monitor mode.</br> DNS query packet generated by Generator on the left is shown in 56 line of the Monitor. DNS query response packet is shown as 57 line, and a more detailed view of it is shown in the middle image.</br> See here for detailed instructions.

Packemon's Monitor allows user to select each packet by pressing Enter key. Then, select any line and press Enter key to see the details of the desired packet. Pressing Esc key in the packet detail screen will return you to the original packet list screen. The rightmost image shows how the packet list is filtered.

Feature - Generator

Send generated packets to any network interfaces.

• You can specify network interface with --interface flag. Default is eth0.

Packets of various protocols are supported.

<details><summary>details</summary>

• [x] Ethernet

  • [x] IEEE802.1Q(VLAN tag)

• [x] ARP

• [x] IPv4

• [x] IPv6

• [x] ICMPv4

• [ ] ICMPv6

• [x] TCP

• [x] UDP

• [x] TLSv1.2

  • Implementation using Go standard package (The following are valid fields;)

    • IPv4: Source IP Addr, Destination IP Addr
    • IPv6: Source IP Addr, Destination IP Addr
    • TCP: Source Port, Destination Port, Do TCP 3way handshake ?(Check required)
    • HTTP: All fields

  • Experimental implementation (full scratch)

    • This tool is not very useful because the number of cipher suites it supports is still small, but an environment where you can try it out can be found here.
      • TCP 3way handshake ~ TLS handshake ~ TLS Application data (encrypted HTTP)
    • Supported cipher suites include
      • TLS_RSA_WITH_AES_128_GCM_SHA256
    • You can check the server for available cipher suites with the following command
      • nmap --script ssl-enum-ciphers -p 443 <server ip>

• [x] TLSv1.3

  • Implementation using Go standard package (The following are valid fields;)

    • IPv4: Source IP Addr, Destination IP Addr
    • IPv6: (Not available... Coming soon!)
    • TCP: Source Port, Destination Port, Do TCP 3way handshake ?(Check required)
    • HTTP: All fields

  • Experimental implementation (full scratch)

    • This tool is not very useful because the number of cipher suites it supports is still small, but an environment where you can try it out can be found here.
      • TCP 3way handshake ~ TLS handshake ~ TLS Application data (encrypted HTTP)
    • Supported cipher suites include
      • TLS_CHACHA20_POLY1305_SHA256

• [x] QUIC (Using github.com/quic-go/quic-go. The following are valid fields;)

  • IPv4: Source IP Addr, Destination IP Addr
  • IPv6: Source IP Addr, Destination IP Addr
  • UDP: Source Port, Destination Port (UDP selection required)
  • QUIC: All fields
  • HTTP: All fields
    • 🥳< HTTP/3!

• [x] DNS (WIP)

• [x] HTTP (WIP)

• [ ] xxxxx....

• [ ] Routing Protocols

  • IGP (Interior Gateway Protocol)
    • [ ] OSPF (Open Shortest Path First)
    • [ ] EIGRP (Enhanced Interior Gateway Routing Protocol)
    • [ ] RIP (Routing Information Protocol)
  • EGP (Exterior Gateway Protocol)
    • [ ] BGP (Border Gateway Protocol)
      • Currently there is only debug mode
        • TCP 3way handshake ~ Open ~ Keepalive ~ Update ~ Notification

</details>

[!WARNING] While using Generator mode, TCP RST packets automatically sent out by the kernel are dropped. When this mode is stopped, the original state is restored. Probably😅. Incidentally, dropping RST packets is done by running the eBPF program. The background note incorporating the eBPF is the POST of X around here.

[!TIP] While in Generator mode, output of bpf_printk of eBPF program can be checked by executing the following command.<br> $ sudo mount -t debugfs none /sys/kernel/debug (only once)<br> $ sudo cat /sys/kernel/debug/tracing/trace_pipe

Feature - Monitor

Monitor any network interfaces.

• You can specify network interface with --interface flag. Default is eth0.

Can filter packets to be displayed.

• You can filter the values for each item (e.g. Dst, Proto, SrcIP...etc.) displayed in the listed packets.

Specified packets can be saved to pcapng file.

Packets of various protocols are supported.

<details><summary>details</summary>

• [x] Ethernet
  • [x] IEEE802.1Q(VLAN tag)
• [x] ARP
• [x] IPv4 (WIP)
• [x] IPv6 (WIP)
• [x] ICMPv4 (WIP)
• [ ] ICMPv6
• [x] TCP (WIP)
• [x] UDP
• [x] TLSv1.2 (WIP)
• [ ] TLSv1.3
• [ ] DNS (WIP)
  • [x] DNS query
  • [x] DNS query response
  • [ ] xxxxx....
• [ ] HTTP (WIP)
  • [x] HTTP GET request
  • [x] HTTP GET response
  • [ ] xxxxx....
• [ ] xxxxx....
• [ ] Routing Protocols
  • IGP (Interior Gateway Protocol)
    • [ ] OSPF (Open Shortest Path First)
    • [ ] EIGRP (Enhanced Interior Gateway Routing Protocol)
    • [ ] RIP (Routing Information Protocol)
  • EGP (Exterior Gateway Protocol)
    • [ ] BGP (Border Gateway Protocol)

</details>

[!WARNING] If packet parsing fails, it is indicated by “Proto:ETHER” as shown in the following image.

If you want to check the details of the packet, you can select the line, save it to a pcapng file, and import it into Wireshark or other software🙏

Installation

Source build

[!IMPORTANT] For Linux, require 'Dependencies' section of https://ebpf-go.dev/guides/getting-started/#ebpf-c-program</br> For Windows, require Npcap. Check the following</br>

• Support raw 802.11 traffic (and monitor mode) for wireless adapters
• Install Npcap in WinPcap API-compatible Mode

<pre> $ git clone git@github.com:ddddddO/packemon.git $ cd packemon (For Linux) $ cd tc_program/ && go generate && cd - (For Linux or macOS) $ go build -o packemon cmd/packemon/*.go $ ls | grep packemon $ mv packemon /usr/local/bin/ (For Windows) $ go build -o packemon.exe .\cmd\packemon\ </pre>

Package manager

[!IMPORTANT] It might be that the generation of the executable file is failing. At that time, install it in another way!

For arm64, convert “amd64” to “arm64” in the following commands and execute them.

<pre> <b>deb</b> $ export PACKEMON_VERSION=X.X.X $ curl -o packemon.deb -L https://github.com/ddddddO/packemon/releases/download/v$PACKEMON_VERSION/packemon_$PACKEMON_VERSION-1_amd64.deb $ dpkg -i packemon.deb <b>rpm</b> $ export PACKEMON_VERSION=X.X.X $ (Ubuntu)