• Stars
    star
    1,870
  • Rank 24,794 (Top 0.5 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 2 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

⭐ ⭐ Distributed tcpdump for cloud native environments ⭐ ⭐

Documentation GitHub license GitHub stars Hacktoberfest GitHub issues Slack

PacketStreamer

Deepfence PacketStreamer is a high-performance remote packet capture and collection tool. It is used by Deepfence's ThreatStryker security observability platform to gather network traffic on demand from cloud workloads for forensic analysis.

Primary design goals:

  • Stay light, capture and stream, no additional processing
  • Portability, works across virtual machines, Kubernetes and AWS Fargate. Linux and Windows

PacketStreamer sensors are started on the target servers. Sensors capture traffic, apply filters, and then stream the traffic to a central reciever. Traffic streams may be compressed and/or encrypted using TLS.

The PacketStreamer receiver accepts PacketStreamer streams from multiple remote sensors, and writes the packets to a local pcap capture file

PacketStreamer sensors collect raw network packets on remote hosts. It selects packets to capture using a BPF filter, and forwards them to a central reciever process where they are written in pcap format. Sensors are very lightweight and impose little performance impact on the remote hosts. PacketStreamer sensors can be run on bare-metal servers, on Docker hosts, and on Kubernetes nodes.

The PacketStreamer receiver accepts network traffic from multiple sensors, collecting it into a single, central pcap file. You can then process the pcap file or live feed the traffic to the tooling of your choice, such as Zeek, Wireshark Suricata, or as a live stream for Machine Learning models.

When to use PacketStreamer

PacketStreamer meets more general use cases than existing alternatives. For example , Use PacketStreamer if you need a lightweight, efficient method to collect raw network data from multiple machines for central logging and analysis.

Quick Start

PacketStreamer QuickStart

For full instructions, refer to the PacketStreamer Documentation.

You will need to install the golang toolchain and libpcap-dev before building PacketStreamer.

# Pre-requisites (Ubuntu): sudo apt install golang-go libpcap-dev
git clone https://github.com/deepfence/PacketStreamer.git
cd PacketStreamer/
make

Run a PacketStreamer receiver, listening on port 8081 and writing pcap output to /tmp/dump_file (see receiver.yaml):

./packetstreamer receiver --config ./contrib/config/receiver.yaml

Run one or more PacketStreamer sensors on local and remote hosts. Edit the server address in sensor.yaml:

# run on the target hosts to capture and forward traffic

# copy and edit the sample sensor-local.yaml file, and add the address of the receiver host
cp ./contrib/config/sensor-local.yaml ./contrib/config/sensor.yaml

./packetstreamer sensor --config ./contrib/config/sensor.yaml

Who uses PacketStreamer?

  • Deepfence ThreatStryker uses PacketStreamer to capture traffic from production platforms for forensics and anomaly detection.

Get in touch

Thank you for using PacketStreamer.

  • Start with the documentation
  • Got a question, need some help? Find the Deepfence team on Slack
  • GitHub issues Got a feature request or found a bug? Raise an issue
  • productsecurity at deepfence dot io: Found a security issue? Share it in confidence
  • Find out more at deepfence.io

Security and Support

For any security-related issues in the PacketStreamer project, contact productsecurity at deepfence dot io.

Please file GitHub issues as needed, and join the Deepfence Community Slack channel.

License

The Deepfence PacketStreamer project (this repository) is offered under the Apache2 license.

Contributions to Deepfence PacketStreamer project are similarly accepted under the Apache2 license, as per GitHub's inbound=outbound policy.

More Repositories

1

ThreatMapper

Open Source Cloud Native Application Protection Platform (CNAPP)
TypeScript
4,763
star
2

SecretScanner

πŸ”“ πŸ”“ Find secrets and passwords in container images and file systems πŸ”“ πŸ”“
Go
3,092
star
3

YaraHunter

πŸ”πŸ” Malware scanner for cloud-native, as part of CI/CD and at Runtime πŸ”πŸ”
Go
1,234
star
4

FlowMeter

⭐ ⭐ Use ML to classify flows and packets as benign or malicious. ⭐ ⭐
Go
1,105
star
5

ebpfguard

Rust library for writing Linux security policies using eBPF
Rust
281
star
6

community

Deepfence Community
69
star
7

deepfence_runtime_api

Deepfence Runtime API & code samples
HTML
50
star
8

vessel

Vessel is the Go based utility that autodetects underlying Container Runtime in Kubernetes
Go
45
star
9

ThreatStryker-docs

ThreatStryker Documentation
42
star
10

package-scanner

Go
41
star
11

yara-rules

YARA
38
star
12

DocumentationWebsite

JavaScript
36
star
13

terraform-gcp-cloud-scanner

Deepfence Cloud Scanner runs in your cloud environment, gathering inventory and compliance information for the assets deployed in that environment. It submits that information to your Deepfence ThreatMapper or ThreatStryker Management Console
HCL
35
star
14

terraform-aws-cloud-scanner

Deepfence Cloud Scanner runs in your cloud environment, gathering inventory and compliance information for the assets deployed in that environment. It submits that information to your Deepfence ThreatMapper or ThreatStryker Management Console
HCL
35
star
15

helm-charts

Smarty
34
star
16

terraform-azure-cloud-scanner

Deepfence Cloud Scanner runs in your cloud environment, gathering inventory and compliance information for the assets deployed in that environment. It submits that information to your Deepfence ThreatMapper or ThreatStryker Management Console
HCL
33
star
17

CI-CD-Integrations

CI/CD plugins for image scanning, integrations with AWS ECR, Google Container Registry
HCL
32
star
18

secretscanner-docker-extension

⛴️ Docker extension for deepfence/SecretScanner πŸ”
JavaScript
25
star
19

yarahunter-docker-extension

⛴️Docker extension for deepfence/YaraHunterπŸ”Ž
JavaScript
24
star
20

terraform-aws-threatmapper

ThreatMapper Terraform module for AWS
HCL
24
star
21

agent-plugins-grpc

Agent plugins' gRPC definitions
Makefile
23
star
22

pcap-tools

C
22
star
23

compliance

Compliance Scripts Handler
Shell
21
star
24

apache-struts

This repository contains sample attacks that can be used to exploit vulnerabilities in the Jakarta Multipart Parser of Apache Struts
Java
20
star
25

.github

18
star
26

sock-app-canary

Shell
17
star
27

golang_deepfence_sdk

Golang deepfence SDK
Go
15
star
28

kubernetes-scanner

Kubernetes Security Posture Management
Go
14
star
29

cloud-scanner

Deepfence Cloud Scanner runs in your cloud environment, gathering inventory and compliance information for the assets deployed in that environment. It submits that information to your Deepfence ThreatMapper or ThreatStryker Management Console.
Go
4
star
30

ThreatMapperWorkshop

CNAPP Security Workshop using ThreatMapper
4
star
31

open-tracer

Open tracer that uses eBPF kernel features
Rust
3
star
32

threatmapper-python-client

ThreatMapper python client
Python
3
star
33

ebpfguard-blog-example

Sample of eBPFGuard capabilities for upcoming blogpost.
Rust
3
star
34

deepfence-playground

Deepfence's Sandbox on killercoda Platform
Shell
2
star
35

terraform-provider-deepfence

Deepfence Terraform provider
2
star
36

CommunityThreatIntel

Threat Intelligence by and for the community
1
star
37

http2viewer

HTTP2 message viewer
Go
1
star
38

match-scanner

Go
1
star