Skip to content

Packet monster (っ‘-’)╮=͟͟͞͞◒ ヽ( '-'ヽ) TUI tool for sending packets of arbitrary input and monitoring packets on any network interfaces (default: eth0). Windows/macOS/Linux

License

Notifications You must be signed in to change notification settings

ddddddO/packemon

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Packémon

Awesome version DeepWiki

Packet monster, or Packémon for short! (っ‘-’)╮=͟͟͞͞◒ ヽ( '-'ヽ)

packemon_dns_windows.mp4

TUI tool for generating packets of arbitrary input and monitoring packets on any network interfaces (default: eth0). The list of interfaces to be specified is output when packemon interfaces is run.
This tool works on Windows, macOS, and Linux.

This TUI tool is now available on macOS because of cluster2600 support. Thanks🎉!

I intend to develop it patiently🌴

The images of Packemon on REDME should be used as reference only, as they may look different from the actual Packemon.

Warning

This tool is implemented with protocol stacks from scratch and utilizes raw socket.
There may be many bugs. If you find a bug, I would be glad if you raise an issue or give me a pull request!

Feature - Overview

This TUI tool has two major functions: packet generation and packet monitoring.

Generated DNS query
and Recieved response
Displayed DNS response detail Filtered packets

This image shows packemon running in Generator / Monitor mode.
DNS query packet generated by Generator on the left is shown in 56 line of the Monitor. DNS query response packet is shown as 57 line, and a more detailed view of it is shown in the middle image.
See here for detailed instructions.

Packemon's Monitor allows user to select each packet by pressing Enter key. Then, select any line and press Enter key to see the details of the desired packet. Pressing Esc key in the packet detail screen will return you to the original packet list screen. The rightmost image shows how the packet list is filtered.

Feature - Generator

Send generated packets to any network interfaces.

  • You can specify network interface with --interface flag. Default is eth0.

Packets of various protocols are supported.

details
  • Ethernet

    • IEEE802.1Q(VLAN tag)
  • ARP

  • IPv4

  • IPv6

  • ICMPv4

  • ICMPv6

  • TCP

  • UDP

  • TLSv1.2

    • Implementation using Go standard package (The following are valid fields;)

      • IPv4: Source IP Addr, Destination IP Addr
      • IPv6: Source IP Addr, Destination IP Addr
      • TCP: Source Port, Destination Port, Do TCP 3way handshake ?(Check required)
      • HTTP: All fields
    • Experimental implementation (full scratch)

      • This tool is not very useful because the number of cipher suites it supports is still small, but an environment where you can try it out can be found here.
        • TCP 3way handshake ~ TLS handshake ~ TLS Application data (encrypted HTTP)
      • Supported cipher suites include
        • TLS_RSA_WITH_AES_128_GCM_SHA256
      • You can check the server for available cipher suites with the following command
        • nmap --script ssl-enum-ciphers -p 443 <server ip>
  • TLSv1.3

    • Implementation using Go standard package (The following are valid fields;)

      • IPv4: Source IP Addr, Destination IP Addr
      • IPv6: (Not available... Coming soon!)
      • TCP: Source Port, Destination Port, Do TCP 3way handshake ?(Check required)
      • HTTP: All fields
    • Experimental implementation (full scratch)

      • This tool is not very useful because the number of cipher suites it supports is still small, but an environment where you can try it out can be found here.
        • TCP 3way handshake ~ TLS handshake ~ TLS Application data (encrypted HTTP)
      • Supported cipher suites include
        • TLS_CHACHA20_POLY1305_SHA256
  • QUIC (Using github.com/quic-go/quic-go. The following are valid fields;)

    • IPv4: Source IP Addr, Destination IP Addr
    • IPv6: Source IP Addr, Destination IP Addr
    • UDP: Source Port, Destination Port (UDP selection required)
    • QUIC: All fields
    • HTTP: All fields
      • 🥳< HTTP/3!
  • DNS (WIP)

  • HTTP (WIP)

  • xxxxx....

  • Routing Protocols

    • IGP (Interior Gateway Protocol)
      • OSPF (Open Shortest Path First)
      • EIGRP (Enhanced Interior Gateway Routing Protocol)
      • RIP (Routing Information Protocol)
    • EGP (Exterior Gateway Protocol)

Warning

While using Generator mode, TCP RST packets automatically sent out by the kernel are dropped. When this mode is stopped, the original state is restored. Probably😅. Incidentally, dropping RST packets is done by running the eBPF program. The background note incorporating the eBPF is the POST of X around here.

Tip

While in Generator mode, output of bpf_printk of eBPF program can be checked by executing the following command.
$ sudo mount -t debugfs none /sys/kernel/debug (only once)
$ sudo cat /sys/kernel/debug/tracing/trace_pipe

Feature - Monitor

Monitor any network interfaces.

  • You can specify network interface with --interface flag. Default is eth0.

Can filter packets to be displayed.

  • You can filter the values for each item (e.g. Dst, Proto, SrcIP...etc.) displayed in the listed packets.

Specified packets can be saved to pcapng file.

Packets of various protocols are supported.

details
  • Ethernet
    • IEEE802.1Q(VLAN tag)
  • ARP
  • IPv4 (WIP)
  • IPv6 (WIP)
  • ICMPv4 (WIP)
  • ICMPv6
  • TCP (WIP)
  • UDP
  • TLSv1.2 (WIP)
  • TLSv1.3
  • DNS (WIP)
    • DNS query
    • DNS query response
    • xxxxx....
  • HTTP (WIP)
    • HTTP GET request
    • HTTP GET response
    • xxxxx....
  • xxxxx....
  • Routing Protocols
    • IGP (Interior Gateway Protocol)
      • OSPF (Open Shortest Path First)
      • EIGRP (Enhanced Interior Gateway Routing Protocol)
      • RIP (Routing Information Protocol)
    • EGP (Exterior Gateway Protocol)
      • BGP (Border Gateway Protocol)

Warning

If packet parsing fails, it is indicated by “Proto:ETHER” as shown in the following image.

If you want to check the details of the packet, you can select the line, save it to a pcapng file, and import it into Wireshark or other software🙏

Installation

Source build

Important

For Linux, require 'Dependencies' section of https://ebpf-go.dev/guides/getting-started/#ebpf-c-program
For Windows, require Npcap. Check the following

  • Support raw 802.11 traffic (and monitor mode) for wireless adapters
  • Install Npcap in WinPcap API-compatible Mode
$ git clone [email protected]:ddddddO/packemon.git
$ cd packemon
(For Linux)
$ cd tc_program/ && go generate && cd -
(For Linux or macOS)
$ go build -o packemon cmd/packemon/*.go
$ ls | grep packemon
$ mv packemon /usr/local/bin/
(For Windows)
$ go build -o packemon.exe .\cmd\packemon\

Package manager

Important

It might be that the generation of the executable file is failing. At that time, install it in another way!

For arm64, convert “amd64” to “arm64” in the following commands and execute them.

deb
$ export PACKEMON_VERSION=X.X.X
$ curl -o packemon.deb -L https://github.com/ddddddO/packemon/releases/download/v$PACKEMON_VERSION/packemon_$PACKEMON_VERSION-1_amd64.deb
$ dpkg -i packemon.deb

rpm
$ export PACKEMON_VERSION=X.X.X
$ (Ubuntu) yum install https://github.com/ddddddO/packemon/releases/download/v$PACKEMON_VERSION/packemon_$PACKEMON_VERSION-1_amd64.rpm
or
$ (Fedora) dnf install https://github.com/ddddddO/packemon/releases/download/v$PACKEMON_VERSION/packemon_$PACKEMON_VERSION-1_amd64.rpm

apk
$ export PACKEMON_VERSION=X.X.X
$ curl -o packemon.apk -L https://github.com/ddddddO/packemon/releases/download/v$PACKEMON_VERSION/packemon_$PACKEMON_VERSION-1_amd64.apk
$ apk add --allow-untrusted packemon.apk

Homebrew
$ brew install ddddddO/tap/packemon

AUR
https://aur.archlinux.org/packages?K=packemon
Confirmed executable in the following environments
  • OS: Debian GNU/Linux 12 (bookworm) on WSL2
    • Kernel: 5.15.167.4-microsoft-standard-WSL2
    • Architecture: x86_64
  • OS: Ubuntu 22.04.3 LTS on WSL2
    • Kernel: 5.15.167.4-microsoft-standard-WSL2
    • Architecture: x86_64
  • OS: Fedora Linux 42 on WSL2
    • Kernel: 5.15.167.4-microsoft-standard-WSL2
    • Architecture: x86_64
  • OS: Debian GNU/Linux 12 (bookworm) on Google Pixel 7a
    • Kernel: 6.1.0-34-arm64
    • Architecture: aarch64
  • OS: macOS
  • OS: Windows 11 Pro
    • Confirm MAC address of default gateway (via PowerShell)
      PS > $defaultGateway = (Get-NetRoute -DestinationPrefix "0.0.0.0/0" | Sort-Object -Property InterfaceMetric | Select-Object -First 1).NextHop
      PS > echo $defaultGateway
      192.168.10.1
      PS > Get-NetNeighbor -IPAddress $defaultGateway | Select-Object -ExpandProperty LinkLayerAddress
cmd
  • OS: cat /etc/os-release
    • Kernel: uname -r
    • Architecture: uname -m

Go install

For macOS, besides Homebrew, this is also easy.

Important

For Windows, require Npcap. Check the following

  • Support raw 802.11 traffic (and monitor mode) for wireless adapters
  • Install Npcap in WinPcap API-compatible Mode
$ go install github.com/ddddddO/packemon/cmd/packemon@latest

Usage - Overview

$ packemon --help
NAME:
   packemon - Packet monster (っ‘-’)╮=͟͟͞͞◒ ヽ( '-'ヽ) TUI tool for sending packets of arbitrary input and monitoring packets on any network interfaces (default: eth0). Windows/macOS/Linux

              ⌒丶、_ノ⌒丶、_ノ⌒丶、_ノ⌒丶、_ノ⌒丶、_ノ⌒丶、_ノ

                                   о


                                 ,、-、_  __
                   ,、-―、_,、'´    ̄  `ヽ,
                  /       ・    .   l、
                  l,       ヾニニつ    `ヽ、
                   |                  `ヽ,
                   ノ                  ノ
                  /::::                 /
                /:::::::                ..::l、
               /::::::::::::::::::......:::::::.       ............::::::::::`l,
               l::::::::::::::::::::::::::::::::::::......   ....:::::::::::::::::::::::::::::`l,
               ヽ,:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::ノ
                  ̄ ̄``ヽ、_:::::::::::::::::::::::,、-―´ ̄`ヽ、,、-'
                        `ヽ―-―'´

USAGE:
   packemon [global options] [command [command options]]

VERSION:
   1.8.0 / revision cb61da2

COMMANDS:
   monitor, m, mon       Monitor mode. You can monitor packets received and sent on the specified interface. Default is 'eth0' interface.
   generator, g, gen     Generator mode. Arbitrary packets can be generated and sent.
   interfaces, i, intfs  Check the list of interfaces.
   debugging, d, debug   Debugging mode.
   version, v            Prints the version.
   help, h               Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --help, -h     show help
   --version, -v  print the version
$

Usage - Generator

$ sudo setcap cap_net_raw,cap_bpf,cap_sys_admin,cap_net_admin+ep /path/to/packemon
$ packemon generator

or

$ sudo packemon generator

Usage - Monitor

$ sudo setcap cap_net_raw+ep /path/to/packemon
$ packemon monitor

or

$ sudo packemon monitor

Usecase - Overview

Network Learning and Education

Packemon serves as an educational tool for understanding network protocols by allowing hands-on experimentation. You can generate custom packets at different OSI layers and observe their behavior, making it ideal for learning TCP/IP fundamentals.

Protocol Development and Testing

The tool supports testing custom protocol implementations across multiple layers including Ethernet, ARP, IPv4/IPv6, ICMP, TCP/UDP, TLS, DNS, and HTTP. This makes it valuable for developers working on network protocol stacks or testing protocol compliance.

Network Troubleshooting and Analysis

Packemon provides packet monitoring capabilities similar to Wireshark, allowing you to capture and analyze network traffic in real-time. You can filter packets, examine protocol details, and export captured data to pcapng format for further analysis.

Security Research and Penetration Testing

The tool can be used for security research, including testing for vulnerabilities like DNS reflection attacks.

Custom Network Tool Development

Packemon demonstrates how to build network tools from scratch, serving as a reference implementation for developers creating their own packet manipulation utilities.

Usecase - Sending DNS query and Monitoring DNS response

process
  1. setup

    # Generator
    $ sudo packemon generator
    # Monitor
    $ sudo packemon monitor

    ← Generator | Monitor →

  2. Generator

    • > Ethernet > Ether Type > IPv4

    • > IPv4 > Protocol > UDP

    • > IPv4 > Destination IP Addr > 1.1.1.1

      • Enter the address of DNS resolver here. Above is the address of Cloudflare resolver.
    • > UDP > Destination Port > 53

    • > UDP > Automatically calculate length ? > (Check!)

    • > DNS > Queries Domain > go.dev

      • Enter here the domain for which you want to name resolution.
    • > DNS > Click on Send!

      • At this time, DNS query is sent with the contents set so far.

  3. Monitor

    • Find records where Proto: DNS and DstIP or SrcIP is 1.1.1.1. Select each record to see the packet structure of the DNS query and the packet structure of the DNS response.

      • List

      • DNS query (DstIP: 1.1.1.1)

      • DNS response (SrcIP: 1.1.1.1)

Usecase - Network Scan

Host Scan

This is a method for identifying which hosts (devices) are operational on a network.

details
Description How to do it in Pakemon (Generator)
ARP Scan On a local network, broadcast an ARP request to identify the host that responds. Verify the association between the IP address and MAC address. Currently, Packemon does not support specifying IP address ranges for requests, so you have to specify each one individually...

- > Ethernet > Destination Mac Addr > 0xffffffffffff
- > Ethernet > Ether Type > ARP
- > ARP > Hardware Type > 0x0001
- > ARP > Protocol Type > 0x0800
- > ARP > Hardware Size > 0x06
- > ARP > Protocol Size > 0x04
- > ARP > Operation Code > 0x0001
- > ARP > Target Mac Addr > 0x000000000000
- > ARP > Target IP Addr > (Target IP Addr)
- > ARP > Click on Send!
Ping Sweep Send ICMP echo requests to multiple IP addresses on the network to identify the hosts that return echo replies. This is a simple and widely used technique. Currently, Packemon does not support specifying IP address ranges for requests, so you have to specify each one individually...

- > Ethernet > Ether Type > IPv4
- > IPv4 > Protocol > ICMP
- > IPv4 > Destination IP Addr > (Target IP Addr)
- > ICMP > Type > 0x08
- > ICMP > Click on Send!

Port Scan

This is a method for identifying which ports are open (which services are running) on a network device. It is used by attackers to find vulnerable services and by administrators to verify security settings.

details
Description How to do it in Pakemon (Generator)
TCP Connect Scan This is the most basic scanning method, which verifies whether a port is open by performing a complete TCP three-way handshake (SYN -> SYN/ACK -> ACK). - > Ethernet > Ether Type > IPv4
- > IPv4 > Protocol > TCP
- > IPv4 > Destination IP Addr > (Target IP Addr)
- > TCP > Do TCP 3way handshake ? > (Check!)
- > TCP > Destination Port > (Target Port)
- > TCP > Click on Send!
SYN Scan (Half-open Scan) This technique checks port availability without completing the TCP handshake. It sends a SYN packet; if a SYN/ACK packet is returned, the port is deemed open. It then sends a RST packet to reset the connection. Because it leaves minimal traces in logs, it is also called a stealth scan. When using Packemon on Linux, since it drops RST packets, I only wrote the procedure for sending Syn packets.

- > Ethernet > Ether Type > IPv4
- > IPv4 > Protocol > TCP
- > IPv4 > Destination IP Addr > (Target IP Addr)
- > TCP > Do TCP 3way handshake ? > (No Check!)
- > TCP > Flags > 0x02
- > TCP > Destination Port > (Target Port)
- > TCP > Click on Send!
UDP Scan Because it uses the connectionless UDP protocol, it is well-suited for verifying whether a UDP port is open or closed. It sends a UDP packet and determines that the port is open if there is no ICMP Port Unreachable (Type 3, Code 3) response. - > Ethernet > Ether Type > IPv4
- > IPv4 > Protocol > UDP
- > IPv4 > Destination IP Addr > (Target IP Addr)
- > UDP > Destination Port > (Target Port)
- > UDP > Click on Send!

Vulnerability Scan

This is a method for detecting known vulnerabilities (such as in operating systems, applications, or configuration errors).

details
Description How to do it in Pakemon (Generator)
Automated Scanners Using tools such as Nessus and OpenVAS, we perform automated scans based on known vulnerability databases. -
Banner Grabbing Connect to the port and retrieve the “banner” returned by the service (e.g., web server version information) to check for known vulnerabilities. -

Other Scan

details
Description How to do it in Pakemon (Generator)
OS Fingerprinting This technique identifies the target host's operating system by analyzing TCP/IP packet characteristics such as TTL values and window sizes. -
Port Redirection This scan verifies settings for forwarding packets to different ports or hosts. -

Related tools

Monitor

Generator

Acknowledgments

Document

Stargazers over time

Stargazers over time

Log (japanese)

xxx

Links

動作確認

Raspberry Piで簡易http server

pi@raspberrypi:~ $ sudo go run main.go

パケットキャプチャ

$ sudo tcpdump -U -i eth0 -w - | /mnt/c/Program\ Files/Wireshark/Wireshark.exe -k -i -
  • 受信画面

    $ sudo go run cmd/packemon/main.go monitor
  • 送信画面

    $ sudo go run cmd/packemon/main.go generator
  • 単発フレーム送信コマンド(e.g. ARP request)

    $ sudo go run cmd/packemon/main.go debugging --send --proto arp

TLS version 指定でリクエスト

# TLS v1.2 でリクエスト
$ curl -k -s -v --tls-max 1.2 https://192.168.10.112:10443

# TLS v1.3 でリクエスト
$ curl -k -s -v --tls-max 1.3 https://192.168.10.112:10443

# TLS v1.3 で cipher suites を指定してリクエスト(ただし、Client Hello の Cipher Suites のリストが、その指定のみになるわけではなく、一番上(最優先)にくるというもの(パケットキャプチャで確認))
$ curl -k -s -v --tls-max 1.3 --tls13-ciphers "TLS_CHACHA20_POLY1305_SHA256" https://192.168.10.112:10443

手軽にブロードキャスト

$ arping -c 1 1.2.3.4
ARPING 1.2.3.4 from 172.23.242.78 eth0
Sent 1 probes (1 broadcast(s))
Received 0 response(s)

tcpでdns

$ nslookup -vc github.com

WSL2でIPv6有効化

ipv6でping

どうするか

$ ip -6 route
$ ping -c 1 fe80::1

自前実装の tcp 3way handshake

$ sudo go run cmd/packemon/main.go debugging --send --proto tcp-3way-http

動作確認の様子

xxx
  • Ethernetフレームのみ作って送信(77c9149 でコミットしたファイルにて)

  • ARPリクエストを作って送信(390f266 でコミットしたファイルにて。中身はめちゃくちゃと思うけど)

  • ARPリクエストを受信してパース(b6a025a でコミット)

About

Packet monster (っ‘-’)╮=͟͟͞͞◒ ヽ( '-'ヽ) TUI tool for sending packets of arbitrary input and monitoring packets on any network interfaces (default: eth0). Windows/macOS/Linux

Topics

Resources

License

Stars

Watchers

Forks

Sponsor this project

 

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages