Skip to content
This repository

Junkie the network sniffer

Octocat-spinner-32 build-aux fix: make dist October 05, 2012
Octocat-spinner-32 config new: cacti host template November 07, 2012
Octocat-spinner-32 doc fix: hashlittle is gone for netmatch as well October 15, 2013
Octocat-spinner-32 examples new: two exemples of nettrack usage May 24, 2012
Octocat-spinner-32 guile fix: only check signatures startup postgres packet February 20, 2014
Octocat-spinner-32 include chg: allow an optional mutex pool for streambuf April 02, 2014
Octocat-spinner-32 plugins Fix passing wrong max length to snprintf November 21, 2013
Octocat-spinner-32 src chg: use file_unlink instead of unlink in nettrack and netmatch April 11, 2014
Octocat-spinner-32 tests chg: allow an optional mutex pool for streambuf April 02, 2014
Octocat-spinner-32 .gitignore parse (most of) RPCRequest February 20, 2014
Octocat-spinner-32 AUTHORS fix: states p0f.fp license and ownership. May 03, 2012
Octocat-spinner-32 COPYING WIP: decode master secret April 17, 2013
Octocat-spinner-32 Doxyfile fix: make doc May 03, 2013
Octocat-spinner-32 KNOWN_ISSUES chg: Documenting how to compile Junkie on Debian Lenny. January 08, 2011
Octocat-spinner-32 LICENSE.AGPL Initial commit December 21, 2010
Octocat-spinner-32 LICENSE.BSD Initial commit December 21, 2010
Octocat-spinner-32 LICENSE.LGPL Initial commit December 21, 2010
Octocat-spinner-32 LICENSE.OpenSSL Initial commit December 21, 2010
Octocat-spinner-32 LICENSE.ssldump WIP: decode master secret April 17, 2013
Octocat-spinner-32 Makefile.am chg: dev: Remove no longer used serialization stuff. September 27, 2013
Octocat-spinner-32 NEWS chg: Release safe_region rwlock while destructing unreachable objects August 22, 2013
Octocat-spinner-32 README.md fix: hashlittle is gone for netmatch as well October 15, 2013
Octocat-spinner-32 USAGE Merge remote branch 'gl/master' May 06, 2011
Octocat-spinner-32 autogen.sh chg: Documenting how to compile Junkie on Debian Lenny. January 08, 2011
Octocat-spinner-32 configure.ac chg: added configure option for delete-all-at-exit April 04, 2014
Octocat-spinner-32 find_cycles fix: get rid of all circular dependancies between modules December 17, 2012
Octocat-spinner-32 junkie.supp chg: update valgrind suppressions file for guile2 September 16, 2011
Octocat-spinner-32 scm2go.am fix: clean erroneous warnings from guile compiler August 07, 2012
README.md

Meet Junkie the network sniffer!

As the heart of SecurActive network performance monitoring application lies a real-time packet sniffer and analyzer. Modular enough to accomplish many different tasks, we believe this tool can be a helpful companion to the modern network administrator and analyst, and so we decided to offer it to the public under a liberal license so that the Open Source community can use it, play with it, and extend it with whatever feature is deemed appropriate.

Compared to previously available tools junkie lies in between tcpdump and wireshark. Unlike tcpdump, its purpose is to parse protocols of any depth; unlike wireshark, through, junkie is designed to analyze traffic in real-time and so cannot parse traffic as exhaustively as wireshark does.

In addition, junkie's design encompasses extendability and speed:

  • plug-in system + high-level extension language that eases the development and combination of new functionalities;

  • threaded packet capture and analysis for handling of high bandwidth network;

  • modular architecture to ease the addition of any protocol layer;

  • based on libpcap for portability;

  • well tested on professional settings.

Junkie is still being maintained and extended by SecurActive dedicated team but we believe it can be further extended to fulfill many unforeseen purposes.

Todo

Protocol discovery

  • Automatically convert from bro/l7-filter/snort filters to junkie protocol discovery

  • When we found out a proto for TCP (that we know how to parse), register it both ways (using connection tracking hash?)

Netmatch language

  • a type for signed integers (in a way or another - maybe the few operators that really care should exist in two variants?);

  • another special form for converting a name to an ip_addr (or a regular function if we optimize constant away from runtime exec - see below about purity);

  • pure functions taking only constants (and thus returning a constant) should be precomputed;

  • a slice operator to extract a string from another string;

  • it should be correct to match with: (eth) ((ip) (...) or (arp) (...)). in other words, the proto list should be a special form (binding current protos) rather than a fixed preamble.

  • a list of every valid fields (with a docstrings) for better error messages;

  • a higher level language resembling wireshark's, with automatic insertion of set? predicates;

Nettrack language

  • A www plugin to display each netgraph state;

  • rehashable states (once the global hash will be refactored into an incrementaly resized hash)

Reports

A plugin to use the aforementioned FSM executable rules to build report to help classify traffic;

Netflow

Using the above report facility, produce netflow statistics (and stream it).

Minor

  • writer www plugin must mergecap fractionned pcap files for download;

  • automatic resolution of inter-modules dependancies during init;

Plugins

  • Delayogram should propose to show ack delay

  • A host monitoring tool (monitoring number of established cnx, number of cnx establishment rate, number of peers, address associations)

Parsers for:

  • H323

  • SMB

  • MSSQL

  • Accounting protocols (such as RADIUS & DIAMETER)

Something went wrong with that request. Please try again.