All the code in this repo was written in mid 2022 when VPC traffic mirroring was relatively new and shiny. I had kept this code closed-source because I had unrealistic ambitions about perhaps making this project open-core with a value-add SaaS on the side. In the interim, it seems that AWS has launched sixth, seventh and eighth-generation EC2 instance family types without traffic mirroring support. I have no inside knowledge, but that indicates to me that the functionality will only become less useful as the fifth-generation EC2 instances become increasingly obsolete. So here's an open source dump of code for historical interest.
vpcshark
is an extcap
Wireshark plugin that automates VPC traffic mirroring.
Specifically it creates (on-demand, for each Wireshark session):
- An EC2 instance to receive mirrored traffic
- A traffic mirror target pointed at the above EC2 instance
- A traffic mirror filter that permits all traffic (TODO: scope down to match Wireshark capture filter)
- A traffic mirror session for the EC2 ENI that you are mirroring
It should terminate the EC2 instance after the Wireshark capture session
has been stopped. But it is buggy and not properly implemented yet. Likewise,
automatic destruction of traffic mirror sessions is not implemented. Run
vpcshark --cleanup --profile <aws profile name>
to clean up traffic mirror
resources.
First you need to build the remote tool that is copied to and executed on the remote EC2 instance. You can do that like this:
(cd remote; GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="-s -w"; upx remote)
The upx
step is optional, but makes copying the file faster. After that, you
can go build
the vpcshark executable like normal. These steps are needed
because the remote
binary is actually copied into the vpcshark
binary.
Logs will appear in /tmp/vpcshark.log
.
You need to copy (or symlink) vpcshark
into the extcap
directory. By default
that is /Applications/Wireshark.app/Contents/MacOS/extcap/
on macOS. When you
launch Wireshark, you will see a new capture interface named AWS VPC Traffic Mirroring: awsvpc.
Double-clicking this will yield the following dialogue box:
First, select an AWS profile. If you use AWS SSO, then you should have already previously logged into this profile recently.
Next, click Load VPCs…. This will refresh the VPC dropdown box. Select the VPC that contains the ENI you are interested in mirroring.
Next, click Load ENIs…. This will refresh the ENI dropbox box. Select the ENI you are interested in mirroring.
Finally, click Load templates… and select the EC2 launch template you want to use for the temporary EC2 instance that will be launched as the traffic mirror target.
Note: the launch template should include everything that is required to launch an EC2 instance at a minimum. This means you need to specify:
- An AMI. This should be one based on Amazon Linux 2. Specifically one that can
sudo yum install socat
. - An instance type
- A subnet (in the same VPC that you are mirroring traffic)
- A security group that has at least UDP port 4789 open to the VPC CIDR and SSH open to your personal IP address.
- An ENI with an auto-assigned public IP address (if that is not already the default for your chosen subnet)