Introducing PacketStreamer: Distributed Packet Capture for Cloud Native Platforms
April 2, 2022
PacketStreamer is an open source tool that captures network traffic from multiple remote sources concurrently and aggregates the data into a single pcap log file. It is written in golang and supports network capture from Kubernetes nodes, Docker hosts, and bare-metal/virtual-machine servers.
One foundation of a good cybersecurity practice is the ability to capture attack actor TTPs (Tactics, Techniques, and Procedures) from across and behind the attack surface. Tools such as Sysdig Falco capture TTP signals from running workloads (process changes, filesystem access, etc.), and can give indications of local compromise, but these signals alone only tell the late-stage story of an attack event.
Organizations need to see a bigger context, and that’s where network capture and analysis comes into play. Observing network traffic can reveal attacker behaviors before a successful compromise, such as reconnaissance activity and weaponization that is targeted at specific vulnerabilities. Observing traffic can also reveal lateral spread and exfiltration activities.
For example, in a log4j exploit, almost all of the initial signals are network-based. The initial JNDI recon against multiple workloads, the JNDI request that then triggers an outgoing request (beacon) to an attacker’s listener, the subsequent request that retrieves the Java class to be run… all of these are network activities and cannot be identified by on-workload sensors. The first signal you get from on-workload telemetry may be the installation of an exploit kit (a crypto-miner for example).
What Can I Do with PacketStreamer?
With PacketStreamer, you can extend your traffic capture activities to span large numbers of target systems. For example, if you run honeypot servers to gather attack TTPs, you can use PacketStreamer to listen for traffic and aggregate all captured traffic on a central receiver.
In the following example, we install PacketStreamer on three honeypot servers: a host with a basic WordPress installation, one with an inviting NGINX configuration that responds to every request with a 200 OK message, and a host running the honeydb service.
Our honeypot servers run a range of web and other services, and routinely receive recon traffic from remote hosts. We’ll use packetstreamer to capture the traffic and forward it to the target receiver:
# update sensor-remote.yaml to send traffic to the target # receiver IP address and port
The receiver server writes the aggregated capture traffic to a log file, such as /tmp/dump_file. You can watch and process that log file in a variety of ways, such as using tshark to decode selected protocols:
PacketStreamer is also an integral part of the Deepfence ThreatStryker product. ThreatStryker gathers attack actor TTPs from cloud workloads and from network traffic. It classifies them to determine the TTP type and potential intent, and correlates the signals to determine how an attack is unfolding in real time.
To the best of our knowledge, there is no other simple, lightweight, scalable method to capture and stream packets from virtualized environments (K8s, VMs, AWS Fargate) and across multiple clouds. We’re open sourcing this tool to enable users to:
Capture and retain traffic for post facto analysis and forensics
Support threat-hunting activities across a broad target infrastructure
Experiment with new approaches such as ML against network traffic to detect anomalies