Skip to content

An open source Wireshark extcap to make ad hoc mirroring of AWS EC2 traffic easier

Notifications You must be signed in to change notification settings

aidansteele/vpcshark

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

2024 Update

All the code in this repo was written in mid 2022 when VPC traffic mirroring was relatively new and shiny. I had kept this code closed-source because I had unrealistic ambitions about perhaps making this project open-core with a value-add SaaS on the side. In the interim, it seems that AWS has launched sixth, seventh and eighth-generation EC2 instance family types without traffic mirroring support. I have no inside knowledge, but that indicates to me that the functionality will only become less useful as the fifth-generation EC2 instances become increasingly obsolete. So here's an open source dump of code for historical interest.

vpcshark

vpcshark is an extcap Wireshark plugin that automates VPC traffic mirroring. Specifically it creates (on-demand, for each Wireshark session):

  • An EC2 instance to receive mirrored traffic
  • A traffic mirror target pointed at the above EC2 instance
  • A traffic mirror filter that permits all traffic (TODO: scope down to match Wireshark capture filter)
  • A traffic mirror session for the EC2 ENI that you are mirroring

It should terminate the EC2 instance after the Wireshark capture session has been stopped. But it is buggy and not properly implemented yet. Likewise, automatic destruction of traffic mirror sessions is not implemented. Run vpcshark --cleanup --profile <aws profile name> to clean up traffic mirror resources.

Usage

First you need to build the remote tool that is copied to and executed on the remote EC2 instance. You can do that like this:

(cd remote; GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="-s -w"; upx remote)

The upx step is optional, but makes copying the file faster. After that, you can go build the vpcshark executable like normal. These steps are needed because the remote binary is actually copied into the vpcshark binary.

Logs will appear in /tmp/vpcshark.log.

You need to copy (or symlink) vpcshark into the extcap directory. By default that is /Applications/Wireshark.app/Contents/MacOS/extcap/ on macOS. When you launch Wireshark, you will see a new capture interface named AWS VPC Traffic Mirroring: awsvpc. Double-clicking this will yield the following dialogue box:

extcap options

First, select an AWS profile. If you use AWS SSO, then you should have already previously logged into this profile recently.

Next, click Load VPCs…. This will refresh the VPC dropdown box. Select the VPC that contains the ENI you are interested in mirroring.

Next, click Load ENIs…. This will refresh the ENI dropbox box. Select the ENI you are interested in mirroring.

Finally, click Load templates… and select the EC2 launch template you want to use for the temporary EC2 instance that will be launched as the traffic mirror target.

Note: the launch template should include everything that is required to launch an EC2 instance at a minimum. This means you need to specify:

  • An AMI. This should be one based on Amazon Linux 2. Specifically one that can sudo yum install socat.
  • An instance type
  • A subnet (in the same VPC that you are mirroring traffic)
  • A security group that has at least UDP port 4789 open to the VPC CIDR and SSH open to your personal IP address.
  • An ENI with an auto-assigned public IP address (if that is not already the default for your chosen subnet)

About

An open source Wireshark extcap to make ad hoc mirroring of AWS EC2 traffic easier

Resources

Stars

Watchers

Forks

Languages