Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Grave_Rose
Collaborator

[tool] - https://tcpdump101.com

Hopefully self-promotion isn't frowned upon but I was suggested to post here. Over the past few years, I've been working on a tool to help people capture packets by allowing users to have a web-based interface to create the commands for them. Today, I've launched the latest version into production which supports "fw monitor" as well as "fw ctl debug" commands. It's located here: https://tcpdump101.com

I'm posting this in the hopes that people will find it useful (it supports tcpdump as well as other vendors) and maybe get some feedback from the community. If you use it, let me know if you find it handy, what you'd like to see improved and if you have any other suggestions.

Thanks,

Sean (Gr@ve_Rose)

Overview of Check Point module in tcpdump101

84 Replies
Sven_Glock
Advisor

Wow - nice tool - I like it!

0 Kudos
Grave_Rose
Collaborator

Thanks Sven Glock‌ and I'm glad you like it! Smiley Happy

0 Kudos
Sven_Glock
Advisor

Hi Sean,

.

what about adding tcpflags to your predefined filters?

Example:

tcpdump -nn -i eth1 src net 192.168.1.0/24 and tcp[13] == 2‍

This only looks for packets coming from 192.168.1.0/24 where the tcpflag "syn" is set.

Cheers

Sven

0 Kudos
Grave_Rose
Collaborator

Hey Sven Glock‌ - Thanks for the feedback! Those filters are already included in the tool. If you select "TCP Only" a sub-menu opens up where you can specify which flags you want to filter on. I've snipped the screenshots below for you (the second one just shows the output - it's not a real command). Let me know if you have any more feedback and I hope you find it useful! Smiley Happy

TCP Flag Selection

TCP Flag Filter

Sven_Glock
Advisor

Hi Sean, 

thanks for your fast reply!

I saw that filters, but I was not able to link "TCP only" with "tcpflags" - my mistake, sorry!

The implementation is good.

I will have a look for real improvments 

Cheers

Sven

0 Kudos
Grave_Rose
Collaborator

Don't apologize - Even small things can be seen as improvements. Smiley Happy If even one person has an issue, it could mean that other people have the issue as well. Would it be helpful if the "TCP Only" option were expanded to read "TCP Only (Including tcpflags)" or something like that?

Sven_Glock
Advisor

Yes, this would be definitively helpful!

0 Kudos
Sven_Glock
Advisor

I have an other thing...

Once you are using multiple filters there is no possiblity to delete the first filter:

You can set it only to "none" but this will leave a relict in the command line:

Cheers

Sven

0 Kudos
Sven_Glock
Advisor

As I could not delete the first filter I tried to change it, but this caused serios problems and left the command unchanged:

0 Kudos
Grave_Rose
Collaborator

Hey Sven Glock‌ - Man, you're a machine. Smiley Happy The second item you pointed out seems to be a bug. It would seem that if you select an option and leave it blank then select "TCP Only" the previous error message persists and prevents you from using the "TCP Only" option. All other options work so I'll look into this as soon as I can. Once I fix it, I'll let everyone know.

With regards to the first item (not being able to delete the first filter) this is something I'm working on. It also ties into something that Phillip Runner‌ suggested about being able to add filters in above/below and in the middle of existing syntax. I'm basically looking at a total back-end rewrite to be able to support these features but it's something a lot of people have mentioned they want to see so I want to make it happen. Of course, this is going to take quite a while as it's a full re-write and I need to balance this with "real life". Smiley Happy

Thanks again for the suggestions and feedback!

Grave_Rose
Collaborator

Hey Sven Glock‌ (and everyone else in the thread) - I've fixed the bug and modified "TCP Only" to "TCP Only (with tcpflags)" for the modules which support it (tcpdump and Fortinet). I've also given you credit for finding this in the .plan section of the tool and will be mentioning you on Twitter as well for this. Smiley Happy Again, thanks to everyone for the feedback.

0 Kudos
Sven_Glock
Advisor

One more thing...

Once you already defined a filter and you want to create a new one for a different szenario you need to relaod the page.

A "start over" button would be nice!

Cheers

Sven

0 Kudos
Grave_Rose
Collaborator

Check down on the bottom-most icon in the menu bar - The rubbish bin will reload the page for you and reset everything. Saves you from having to press Ctrl+F5. Smiley Happy I know it has to perform a page reload but it's the easiest way instead of having to have a script which blanks all fields and resets everything. Also, there are some keyboard shortcuts so when you load the page and get the splash screen, press [ESC] and it will hide the splash page for you. Smiley Happy

0 Kudos
Sven_Glock
Advisor

Ok, the root cause seems to be my 27" screen - the rubbish bin is too far away from the form it self 

Form my side: once you are working in a form you are only looking for features like this inside the form.

The sidebar suggests that the links on it do not belong to the form.

As the bin is the only one I did not exepect buttons in that menu belonging to the form.

So ,it would be nice the have the bin inside the form.

...but maybe I am a bit to oldschool 

0 Kudos
Grave_Rose
Collaborator

Hahaha! Maybe I'll put a cookie in the page to track you and have the bin follow you around.

I think what I could do (when doing the re-work) is to have a "clear all filters" button pop up near the filters somewhere. Would that work for you in the future?

Sven_Glock
Advisor

Yes, this would be helpful!

0 Kudos
Grave_Rose
Collaborator

Hey everyone - I normally don't like to bump threads for the sake of self-promotion but since I've received a lot [!] of feedback and constructive ideas from this post, I thought I'd post a quick update. This will (probably?) be the last one here at Check Mates before the next move from Dev to Prod with the new (from scratch) re-write so I'm not seen spamming message boards. Smiley Happy

If you have a few minutes in the near future, can you check out the development build at http://dev.tcpdump101.com and use the "tcpdump" module to let me know what you think? It's not very functional right now but the UI layout is pretty much there. Let me know what seems good to you, what seems not-so-good to you and what you'd like to see in the new build. Here are a few quick highlights (as of 15.11.18) of what's working. Your input and feedback will help shape the tool for everyone.

  • Command output bar at the top is now sticky and will always be at the top regardless of where you scroll. (Suggested by Check Mates)
  • Copy button (working) and Restart button (not working) are now fixed on the right-side of the module and, again, will stay there when scrolled. (Somewhat suggested by Check Mates)
  • The JS functions are more reusable so I should be able to cut down the 300k JS file to something more manageable.
  • You can now just click anywhere on the command output bar at the top and all the text (not HTML) will be copied. This will (hopefully) make multi-line commands (such as 'fw ctl debug') copy properly instead of just highlighting.
  • There's now a home page with some information instead of a splash screen.
  • If your browser/screen/viewport is smaller than 900x700, a small information bar at the top will show up suggesting you to increase your browser resolution. You have the option of just clicking on it to make it go away (like those stupid cookie notifications). Smiley Happy
  • The UI is now colour-coded depending on what you input. Green is good, yellow is suspect and red is bad. Not only do the items update but the command bar will flash the appropriate colour.
  • Along the same lines are feedback icons. Green check marks, yellow exclamation points and red crosses.
  • All items have contextual help. Hover your mouse over the icon and all options will be explained - Some have examples in them as well.
  • When using the 'not' option to negate a filter, the filter item will change to a light grey colour to provide a quick visual cue as to which (if any) filters have been negated.
  • When scrolling down there will be a back-to-top button show up.
  • There will be basic colour-coded validation on filter input as well once I get around to building the JS for them. This will be cross-module wherever possible.
  • You can add filters above and below any other filters!!! Well, right now it just adds the words "Got here" as a placeholder but you get the idea. Smiley Happy

Down the road a bit, I'm going to add other commands related to vendors and *nix networking. Things like 'fw tab' command syntax, 'nmap' syntax and the like. These will definitely be after the next major release but should be easy modules to add in.

I'm going to try to do (somewhat) regular updates to the dev environment while I keep working on this so please keep checking it every now and then. I'll start posting updates to the /r/tcpdump101 subreddit thread I have started for the dev version (I don't want to be a spammer) so feel free to head over there as well even if it's just to lurk. If you're on Twitter and want to post feedback, feel free to add me @Grave_Rose there as well. I'm trying to get two or three updates a week pushed online depending on "real life" and all that jazz. Smiley Happy

Thanks in advance and I look forward to collaborating with everyone some more!

Sean (Gr@ve_Rose)

0 Kudos
Grave_Rose
Collaborator

Hey everyone - I've updated https://tcpdump101.com to now include the new 'cppcap' utility. There's a small bug where adding a new filter doesn't automatically update the operand but once you select the radio button for the operand, it will show up.

Let me know if you have time to play around with it and let me know if you discover any more... -ahem- Undocumented features. Smiley Happy I'm still working on the next release at http://dev.tcpdump101.com so, again, if you have time to check that out as well (only tcpdump works right now [4.12.18]) and provide feedback, I'd be very grateful!

Have a good one!

Sean (Gr@ve_Rose)

Sven_Glock
Advisor

Hi Sean,

thanks for continuing to improve your tool.

I like the new facelift. 

Some thoughts:

  • why have you removed file options like rotate, split etc?
  • a lot of people do not know that they can use "any" as parameter for "-i" 
    Why not offering this as an radio button?
  • I am not sure if this is a Check Point specific thing: I love the -P switch, which is showing interface names.
    This is very useful when using interface "any". So you can nicely see in and outgoining interface names.
  • Output location: Save to file: on/off is easier to understand even for linux newbies than stdout.
  • I am missing some plausibility tests 

  • In the filters dropdown menu you can choose the menu seperators, which can be a bit confusing.


    Is it possible to present the menu seperators in a different look than the real filters (for example using bold font)?
  • IPv4/6-Filters: It would be much easier only to select IPv4/6-Filter and have a radio button afterwards to select if it is for source/destionation or source and destination. More over it would be nice to have an automated detection of  net/hostname or IP (once there is a "/" it has to be a network and you have to add "net" - no "/" no "net" that is has to be hostname or single IP). This will additionally make the filters menu shorter and more clear.
  • TCP-Flags: When you want to filter on packets that have SYN and ACK flags you have to define two seperate filters. Why not offering to select multiple flags by check box and building two seperate filters in the background?

Ok, I think that's enough for the beginning to fill you free time next weekend 

Regards

Sven

Grave_Rose
Collaborator

Hey Sven Glock‌ - Thanks so much for the helpful feedback!

For items 1 and 2 I just forgot about them, to be honest. Smiley Happy I was rushing a little bit and, since I do this in my spare time, sometimes I forget where I left off or what I was working on. I'll put these back in since they're both pretty important to people.

Item 3 is covered in the "Information Only" option with the "-D" switch. This will show you all the interfaces you can run tcpdump on.

Item 4 I like the idea of "On/Off" and then maybe have a little item about printing to the screen versus saving to a file. I'll update this as well when I'm putting back the additional "Save to File" options.

For item 5, have you never seen a MAC address with 11:11:11:11:11:11:11:11:!1:$" before? Seriously though, those checks are currently in the works on my laptop - I just haven't pushed them to the public site yet. As for the "host" filter, as goofy as this sounds, it's possible that someone has "11111asdfasdf" as a hostname somewhere. I will be putting in some "guessing" checks for those but it's almost impossible to know what people can put in for those types of filter. For example, the following three items are all valid: 1.2.3.4, 2001:bad:c0de::1 and 1.2.3.4.com (IPv4, IPv6, host/domain name). I will be testing out some RegEx to see if I can get it to work properly but I may be left with just guessing. Stay tuned, though. Smiley Happy

Item 6 is a bit more involved... You see, HTML select and option elements are not able to be styled by CSS as some other HTML DOM elements. The same thing goes for radio buttons and checkboxes. To be able to create a bold section title or have custom radio buttons (for example) would require a fair bit of coding since you have to hide the existing HTML <option> element, create new HTML/CSS for the custom look and then have a JavaScript caller to handle the events. But... And I'm not joking about this... While writing this out, you did give me an idea that may work. Instead of using an HTML select/option combination, I could create an HTML/CSS menu instead and use an onClick function on the spans to call the back-end JS. I'm going to try this out to see how easy it is to get working. Thanks for helping me think of a new (possible) solution, Sven. Smiley Happy

I like the idea in item 7 about shortening the list by using radio buttons for src/dst. I will also try merging the host/net option by looking for the "/" character but I may keep host and net separate to make things a bit easier for new people. But I will give it a try and see how it goes.

For the last item, it's a good idea in theory but, personally, I think it may not work as well in practice. Here's what I'm thinking... We know that there are many useful combinations of TCP flags like SA or FA or even the old XMas tree scan with FPU set. But people who are new to PCaps, TCP or networking in general may not. By keeping the filters separate, the users will learn that the flags are unique per filter which, in turn, will help them learn that each TCP flag is unique and then they have that extra knowledge. The other thing is newer people may get confused if they have to create logic gates with this type of filter and they may be tempted to put checkmarks in boxes that already exist when, instead, they should be creating a new filter inside their logic gates. But maybe I'm overthinking this. Smiley Happy

In terms of my weekend... I'm currently fighting a sinus cold (yay Canadian weather!) so between that, family obligations and getting drunk on cold medicine, I'll see how much time I've got for this. Maybe I'll work on it after taking some cough syrup and see if it makes my code better or not... If the next dev push has a bunch of cat pictures instead of usable code, you'll know why.

0 Kudos
Grave_Rose
Collaborator

Hey Sven Glock‌ and everyone else. I've pushed the latest update to http://dev.tcpdump101.com with some new items/features that I'd love to hear your feedback on.

I've put the additional "Save to File" options back in since I forgot them earlier as well as an updated note in the (?) Help bubble for the tcpdump interface stating that you can use 'any' as an interface. (Thanks Sven Glock‌) I do have a little clean-up to do on the error checking for those, however, so don't be too alarmed that they're not at 100% yet. Smiley Happy

I've also added error checking on the following filters:

  • Layer-2 Addresses (strict)
  • Layer-3 Protocols (loose)
  • Layer-4 Ports (loose)
  • VLAN IDs (strict)
  • PPPoES IDs (strict)
  • MPLS (strict)

I will be adding descriptions to the errors in the near future so that people will know what's wrong with what they've entered and how to correct it. I will also be adding error checking on the rest of the filters as well. A small icon at the top-right of each filter will let you know at-a-glance if the filters you've entered are valid, suspect or invalid.

When you negate a filter now (by using the "not" box), an icon appears in the top-right of the filter to let you know at-a-glance which filters are negated. They used to change the background of the filter to grey but I realized that the error checking background colours wouldn't be available.

I'm going to finish up the error checking on the Save to File modules and the rest of the filters and will then look at changing the filter menu from an HTML <select> field to a custom HTML/CSS hoverable menu and see how that looks and feels.

As usual, any and all feedback is appreciated.

Sean (Gr@ve_Rose)

Grave_Rose
Collaborator

Happy New Year everyone! I know we're a few weeks in but it's a New Year in this thread. Smiley Happy Since this board has been the most supportive and interactive I figured I'd give everyone an update on how things have been progressing with the site/tool... The answer is extremely well. I've put a lot of work into the dev site (http://dev.tcpdump101.com) and was hoping that, if you have a few minutes (I know, I know...) you could check it out and provide some feedback (both positive and negative) on what you think.

Here's where it's at now for those who just want to read about it and may not have time to play around:

  • The dev site now has all the same modules as production (still missing the Cisco [Can I write that here? Should I put C***o instead? Smiley Happy] but I recently got my hands on a 5506-X so that's next on the list).
  • All the filters have been changed from the drop-down (select) list and are now styled buttons sorted by OSI layer.
  • The filters list can also be resized vertically if you want to see them all in one box. Just click-n-drag the handle on the bottom-right of the filters list box.
  • You can fully add filters above or below existing filters regardless of how many filters you have. ::fist pump::
  • The "not" option on the filters just adds an icon on the top-right of the filter instead of changing the whole background colour of the filter.
  • The "cppcap" module works properly without the operand bug currently present in prod.
  • An RSS feed is now available (http://dev.tcpdump101.com/rss/rss.xml) which will be used for site updates as well as project-related notifications (see next item). There is an icon in the menu bar in the "social" area to get the link and put it in your RSS reader.
  • There is a link to my (so far empty) Youtube channel in the "social" area as well. I'm going to have PCap videos and some livestream events so if those interest you, stay tuned.
  • I've added a "CLI" area which will be used to create network and OS commands across all devices in a similar fashion. Right now, it has a placeholder to use the "ip" command to view interfaces but, as time goes on, will have things like configuring OSPF, running an nmap scan or clustering devices - So long as it can be done on the CLI of the device, I'll try to add things in over time. This will be worked on more after the Cisco PCap module is done.
  • There's contextual help on pretty much everything. Question marks... Question marks as far as the eye can see.
  • I've added <label> tags to radio buttons so you can just click on the words instead of having to click on the button directly.
  • I've done away with some of the checkboxes. For instance, if you want to change the snaplength of the PCap, just type the number in. No need to check a box and then type a number in.
  • There's a handy "back to top" button that shows up if you scroll down.
  • Multi-line command (such as "fw ctl debug" commands) will now copy the entire multi-line command instead of just highlighting it.
  • The back-end JavaScript has been reduced by about 40% while still having the same (if not a bit more) functionality than the original which is nice.

I think that about covers it for the latest update (16.1.19) on the dev site. As I mentioned at the start of this, if you can find the time to tinker around with it and let me know your thoughts, I'd appreciate it a lot! If not, that's fine too - I'm pretty easy going. Smiley Happy

Cheers,

Sean (Gr@ve_Rose)

Grave_Rose
Collaborator

Ladies and Gentlemen... It's been a while but wanted to let you know that https://tcpdump101.com now supports the "new" version of "fw monitor" found in R80.20 JHF73+ which uses the simple filter module. If you get a chance to check it out, let me know how you find it! Happy Packet Hunting.

tcpdump101.com 1.01 - New 'fw monitor' sectiontcpdump101.com 1.01 - New 'fw monitor' section

Keep being awesome!

 

Sean (Gr@ve_Rose)

 

0 Kudos
Sven_Glock
Advisor

Hi Sean,

after a long while I went back to your website.
Nice new updates! Thanks for your efforts.

Today I had the need to work with an older version of fw monitor.

So I decided to build the syntax on your website.

But I have to say I missed a feature - may be I only have not seen it...

TCPFLAGs 

I even had to consult CPs documentation! 😵

 

Just wanted to leave this here - may be it is a topic for your roadmap.

 

Cheers

Sven

Grave_Rose
Collaborator

Hey @Sven_Glock - Thanks for the feedback and I'm glad you like the new layout! I will see about adding the TCPFLAGS option to both of the 'fw monitor' modules as soon as I can. Things are pretty hectic right now on my side (a lot of PenTesting and Red Team engagements) but I'll let you know when they've been added, tested and verified although it may be a while. Once they're in, do you mind if I credit you with the feature request on Twitter when the time comes?

As per usual, if you (or anyone else) wants to share feedback (positive and constructive) I'm always open to hearing from the community. 🙂

Cheers,

Sean (Gr@ve_Rose)

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events