- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hopefully self-promotion isn't frowned upon but I was suggested to post here. Over the past few years, I've been working on a tool to help people capture packets by allowing users to have a web-based interface to create the commands for them. Today, I've launched the latest version into production which supports "fw monitor" as well as "fw ctl debug" commands. It's located here: https://tcpdump101.com
I'm posting this in the hopes that people will find it useful (it supports tcpdump as well as other vendors) and maybe get some feedback from the community. If you use it, let me know if you find it handy, what you'd like to see improved and if you have any other suggestions.
Thanks,
Sean (Gr@ve_Rose)
Wow - nice tool - I like it!
Thanks Sven Glock and I'm glad you like it!
Hi Sean,
.
what about adding tcpflags to your predefined filters?
Example:
tcpdump -nn -i eth1 src net 192.168.1.0/24 and tcp[13] == 2
This only looks for packets coming from 192.168.1.0/24 where the tcpflag "syn" is set.
Cheers
Sven
Hey Sven Glock - Thanks for the feedback! Those filters are already included in the tool. If you select "TCP Only" a sub-menu opens up where you can specify which flags you want to filter on. I've snipped the screenshots below for you (the second one just shows the output - it's not a real command). Let me know if you have any more feedback and I hope you find it useful!
Hi Sean,
thanks for your fast reply!
I saw that filters, but I was not able to link "TCP only" with "tcpflags" - my mistake, sorry!
The implementation is good.
I will have a look for real improvments
Cheers
Sven
Don't apologize - Even small things can be seen as improvements. If even one person has an issue, it could mean that other people have the issue as well. Would it be helpful if the "TCP Only" option were expanded to read "TCP Only (Including tcpflags)" or something like that?
Yes, this would be definitively helpful!
I have an other thing...
Once you are using multiple filters there is no possiblity to delete the first filter:
You can set it only to "none" but this will leave a relict in the command line:
Cheers
Sven
As I could not delete the first filter I tried to change it, but this caused serios problems and left the command unchanged:
Hey Sven Glock - Man, you're a machine. The second item you pointed out seems to be a bug. It would seem that if you select an option and leave it blank then select "TCP Only" the previous error message persists and prevents you from using the "TCP Only" option. All other options work so I'll look into this as soon as I can. Once I fix it, I'll let everyone know.
With regards to the first item (not being able to delete the first filter) this is something I'm working on. It also ties into something that Phillip Runner suggested about being able to add filters in above/below and in the middle of existing syntax. I'm basically looking at a total back-end rewrite to be able to support these features but it's something a lot of people have mentioned they want to see so I want to make it happen. Of course, this is going to take quite a while as it's a full re-write and I need to balance this with "real life".
Thanks again for the suggestions and feedback!
Hey Sven Glock (and everyone else in the thread) - I've fixed the bug and modified "TCP Only" to "TCP Only (with tcpflags)" for the modules which support it (tcpdump and Fortinet). I've also given you credit for finding this in the .plan section of the tool and will be mentioning you on Twitter as well for this. Again, thanks to everyone for the feedback.
One more thing...
Once you already defined a filter and you want to create a new one for a different szenario you need to relaod the page.
A "start over" button would be nice!
Cheers
Sven
Check down on the bottom-most icon in the menu bar - The rubbish bin will reload the page for you and reset everything. Saves you from having to press Ctrl+F5. I know it has to perform a page reload but it's the easiest way instead of having to have a script which blanks all fields and resets everything. Also, there are some keyboard shortcuts so when you load the page and get the splash screen, press [ESC] and it will hide the splash page for you.
Ok, the root cause seems to be my 27" screen - the rubbish bin is too far away from the form it self
Form my side: once you are working in a form you are only looking for features like this inside the form.
The sidebar suggests that the links on it do not belong to the form.
As the bin is the only one I did not exepect buttons in that menu belonging to the form.
So ,it would be nice the have the bin inside the form.
...but maybe I am a bit to oldschool
Hahaha! Maybe I'll put a cookie in the page to track you and have the bin follow you around.
I think what I could do (when doing the re-work) is to have a "clear all filters" button pop up near the filters somewhere. Would that work for you in the future?
Yes, this would be helpful!
Hey everyone - I normally don't like to bump threads for the sake of self-promotion but since I've received a lot [!] of feedback and constructive ideas from this post, I thought I'd post a quick update. This will (probably?) be the last one here at Check Mates before the next move from Dev to Prod with the new (from scratch) re-write so I'm not seen spamming message boards.
If you have a few minutes in the near future, can you check out the development build at http://dev.tcpdump101.com and use the "tcpdump" module to let me know what you think? It's not very functional right now but the UI layout is pretty much there. Let me know what seems good to you, what seems not-so-good to you and what you'd like to see in the new build. Here are a few quick highlights (as of 15.11.18) of what's working. Your input and feedback will help shape the tool for everyone.
Down the road a bit, I'm going to add other commands related to vendors and *nix networking. Things like 'fw tab' command syntax, 'nmap' syntax and the like. These will definitely be after the next major release but should be easy modules to add in.
I'm going to try to do (somewhat) regular updates to the dev environment while I keep working on this so please keep checking it every now and then. I'll start posting updates to the /r/tcpdump101 subreddit thread I have started for the dev version (I don't want to be a spammer) so feel free to head over there as well even if it's just to lurk. If you're on Twitter and want to post feedback, feel free to add me @Grave_Rose there as well. I'm trying to get two or three updates a week pushed online depending on "real life" and all that jazz.
Thanks in advance and I look forward to collaborating with everyone some more!
Sean (Gr@ve_Rose)
Hey everyone - I've updated https://tcpdump101.com to now include the new 'cppcap' utility. There's a small bug where adding a new filter doesn't automatically update the operand but once you select the radio button for the operand, it will show up.
Let me know if you have time to play around with it and let me know if you discover any more... -ahem- Undocumented features. I'm still working on the next release at http://dev.tcpdump101.com so, again, if you have time to check that out as well (only tcpdump works right now [4.12.18]) and provide feedback, I'd be very grateful!
Have a good one!
Sean (Gr@ve_Rose)
Hi Sean,
thanks for continuing to improve your tool.
I like the new facelift.
Some thoughts:
Ok, I think that's enough for the beginning to fill you free time next weekend
Regards
Sven
Hey Sven Glock - Thanks so much for the helpful feedback!
For items 1 and 2 I just forgot about them, to be honest. I was rushing a little bit and, since I do this in my spare time, sometimes I forget where I left off or what I was working on. I'll put these back in since they're both pretty important to people.
Item 3 is covered in the "Information Only" option with the "-D" switch. This will show you all the interfaces you can run tcpdump on.
Item 4 I like the idea of "On/Off" and then maybe have a little item about printing to the screen versus saving to a file. I'll update this as well when I'm putting back the additional "Save to File" options.
For item 5, have you never seen a MAC address with 11:11:11:11:11:11:11:11:!1:$" before? Seriously though, those checks are currently in the works on my laptop - I just haven't pushed them to the public site yet. As for the "host" filter, as goofy as this sounds, it's possible that someone has "11111asdfasdf" as a hostname somewhere. I will be putting in some "guessing" checks for those but it's almost impossible to know what people can put in for those types of filter. For example, the following three items are all valid: 1.2.3.4, 2001:bad:c0de::1 and 1.2.3.4.com (IPv4, IPv6, host/domain name). I will be testing out some RegEx to see if I can get it to work properly but I may be left with just guessing. Stay tuned, though.
Item 6 is a bit more involved... You see, HTML select and option elements are not able to be styled by CSS as some other HTML DOM elements. The same thing goes for radio buttons and checkboxes. To be able to create a bold section title or have custom radio buttons (for example) would require a fair bit of coding since you have to hide the existing HTML <option> element, create new HTML/CSS for the custom look and then have a JavaScript caller to handle the events. But... And I'm not joking about this... While writing this out, you did give me an idea that may work. Instead of using an HTML select/option combination, I could create an HTML/CSS menu instead and use an onClick function on the spans to call the back-end JS. I'm going to try this out to see how easy it is to get working. Thanks for helping me think of a new (possible) solution, Sven.
I like the idea in item 7 about shortening the list by using radio buttons for src/dst. I will also try merging the host/net option by looking for the "/" character but I may keep host and net separate to make things a bit easier for new people. But I will give it a try and see how it goes.
For the last item, it's a good idea in theory but, personally, I think it may not work as well in practice. Here's what I'm thinking... We know that there are many useful combinations of TCP flags like SA or FA or even the old XMas tree scan with FPU set. But people who are new to PCaps, TCP or networking in general may not. By keeping the filters separate, the users will learn that the flags are unique per filter which, in turn, will help them learn that each TCP flag is unique and then they have that extra knowledge. The other thing is newer people may get confused if they have to create logic gates with this type of filter and they may be tempted to put checkmarks in boxes that already exist when, instead, they should be creating a new filter inside their logic gates. But maybe I'm overthinking this.
In terms of my weekend... I'm currently fighting a sinus cold (yay Canadian weather!) so between that, family obligations and getting drunk on cold medicine, I'll see how much time I've got for this. Maybe I'll work on it after taking some cough syrup and see if it makes my code better or not... If the next dev push has a bunch of cat pictures instead of usable code, you'll know why.
Hey Sven Glock and everyone else. I've pushed the latest update to http://dev.tcpdump101.com with some new items/features that I'd love to hear your feedback on.
I've put the additional "Save to File" options back in since I forgot them earlier as well as an updated note in the (?) Help bubble for the tcpdump interface stating that you can use 'any' as an interface. (Thanks Sven Glock) I do have a little clean-up to do on the error checking for those, however, so don't be too alarmed that they're not at 100% yet.
I've also added error checking on the following filters:
I will be adding descriptions to the errors in the near future so that people will know what's wrong with what they've entered and how to correct it. I will also be adding error checking on the rest of the filters as well. A small icon at the top-right of each filter will let you know at-a-glance if the filters you've entered are valid, suspect or invalid.
When you negate a filter now (by using the "not" box), an icon appears in the top-right of the filter to let you know at-a-glance which filters are negated. They used to change the background of the filter to grey but I realized that the error checking background colours wouldn't be available.
I'm going to finish up the error checking on the Save to File modules and the rest of the filters and will then look at changing the filter menu from an HTML <select> field to a custom HTML/CSS hoverable menu and see how that looks and feels.
As usual, any and all feedback is appreciated.
Sean (Gr@ve_Rose)
Happy New Year everyone! I know we're a few weeks in but it's a New Year in this thread. Since this board has been the most supportive and interactive I figured I'd give everyone an update on how things have been progressing with the site/tool... The answer is extremely well. I've put a lot of work into the dev site (http://dev.tcpdump101.com) and was hoping that, if you have a few minutes (I know, I know...) you could check it out and provide some feedback (both positive and negative) on what you think.
Here's where it's at now for those who just want to read about it and may not have time to play around:
I think that about covers it for the latest update (16.1.19) on the dev site. As I mentioned at the start of this, if you can find the time to tinker around with it and let me know your thoughts, I'd appreciate it a lot! If not, that's fine too - I'm pretty easy going.
Cheers,
Sean (Gr@ve_Rose)
Ladies and Gentlemen... It's been a while but wanted to let you know that https://tcpdump101.com now supports the "new" version of "fw monitor" found in R80.20 JHF73+ which uses the simple filter module. If you get a chance to check it out, let me know how you find it! Happy Packet Hunting.
tcpdump101.com 1.01 - New 'fw monitor' section
Keep being awesome!
Sean (Gr@ve_Rose)
Hi Sean,
after a long while I went back to your website.
Nice new updates! Thanks for your efforts.
Today I had the need to work with an older version of fw monitor.
So I decided to build the syntax on your website.
But I have to say I missed a feature - may be I only have not seen it...
TCPFLAGs
I even had to consult CPs documentation! 😵
Just wanted to leave this here - may be it is a topic for your roadmap.
Cheers
Sven
Hey @Sven_Glock - Thanks for the feedback and I'm glad you like the new layout! I will see about adding the TCPFLAGS option to both of the 'fw monitor' modules as soon as I can. Things are pretty hectic right now on my side (a lot of PenTesting and Red Team engagements) but I'll let you know when they've been added, tested and verified although it may be a while. Once they're in, do you mind if I credit you with the feature request on Twitter when the time comes?
As per usual, if you (or anyone else) wants to share feedback (positive and constructive) I'm always open to hearing from the community. 🙂
Cheers,
Sean (Gr@ve_Rose)
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY