├── COPYING ├── README.md ├── doc ├── AUTHORS ├── ChangeLog └── HACKING ├── lib ├── filters │ ├── arp │ ├── auto_rp │ ├── bfd │ ├── bgp │ ├── cdp │ ├── data │ ├── dhcp │ ├── dns │ ├── dtp │ ├── enabled │ │ ├── all │ │ │ ├── arp │ │ │ ├── auto_rp │ │ │ ├── bfd │ │ │ ├── bgp │ │ │ ├── cdp │ │ │ ├── data │ │ │ ├── dhcp │ │ │ ├── dns │ │ │ ├── dtp │ │ │ ├── ftp │ │ │ ├── hsrp │ │ │ ├── http │ │ │ ├── http.authbasic │ │ │ ├── http.request.uri │ │ │ ├── icmp │ │ │ ├── icmp.padding.non-standard │ │ │ ├── icmpv6 │ │ │ ├── igmp │ │ │ ├── inbound │ │ │ ├── ip.proto253 │ │ │ ├── json │ │ │ ├── kerberos │ │ │ ├── kerberos.weak │ │ │ ├── large │ │ │ ├── ldap │ │ │ ├── lldp │ │ │ ├── mop │ │ │ ├── mysql │ │ │ ├── ntp │ │ │ ├── ospf │ │ │ ├── other │ │ │ ├── padding │ │ │ ├── pim │ │ │ ├── sip │ │ │ ├── sip.auth │ │ │ ├── snmp │ │ │ ├── snmp.community │ │ │ ├── ssh │ │ │ ├── stp │ │ │ ├── tc_nv │ │ │ ├── telnet │ │ │ ├── tftp │ │ │ ├── tls │ │ │ ├── tls.certs │ │ │ ├── tls.certs.weak │ │ │ ├── tls.ciphers.weak │ │ │ ├── tls.handshake.server │ │ │ ├── tls.handshake.weak │ │ │ ├── tls.weak │ │ │ ├── vlan.trailer │ │ │ ├── vlans │ │ │ ├── vpn │ │ │ ├── vrrp │ │ │ └── vrrp.no-auth │ │ ├── application │ │ │ ├── data │ │ │ ├── http │ │ │ ├── http.request.uri │ │ │ ├── json │ │ │ ├── kerberos │ │ │ ├── ldap │ │ │ ├── mysql │ │ │ ├── ntp │ │ │ ├── sip │ │ │ ├── snmp │ │ │ ├── ssh │ │ │ ├── tftp │ │ │ ├── tls │ │ │ └── tls.handshake.server │ │ ├── bespoke │ │ │ └── .gitkeep │ │ ├── broadcast │ │ │ ├── arp │ │ │ ├── cdp │ │ │ ├── dhcp │ │ │ ├── dtp │ │ │ ├── hsrp │ │ │ ├── icmpv6 │ │ │ ├── igmp │ │ │ ├── lldp │ │ │ ├── stp │ │ │ └── vrrp │ │ ├── discovery │ │ │ ├── arp │ │ │ ├── bfd │ │ │ ├── cdp │ │ │ ├── dhcp │ │ │ ├── dns │ │ │ ├── dtp │ │ │ ├── hsrp │ │ │ ├── icmp │ │ │ ├── icmpv6 │ │ │ ├── igmp │ │ │ ├── inbound │ │ │ ├── kerberos │ │ │ ├── lldp │ │ │ ├── ntp │ │ │ ├── snmp │ │ │ ├── stp │ │ │ ├── tls.certs │ │ │ ├── vlans │ │ │ ├── vpn │ │ │ └── vrrp │ │ ├── insecure │ │ │ ├── ftp │ │ │ ├── http │ │ │ ├── http.authbasic │ │ │ ├── kerberos.weak │ │ │ ├── ldap │ │ │ ├── snmp │ │ │ ├── snmp.community │ │ │ ├── telnet │ │ │ ├── tls.certs.weak │ │ │ ├── tls.ciphers.weak │ │ │ ├── tls.handshake.weak │ │ │ ├── tls.weak │ │ │ └── vrrp.no-auth │ │ ├── oddities │ │ │ ├── bfd │ │ │ ├── icmp.padding.non-standard │ │ │ ├── ip.proto253 │ │ │ ├── large │ │ │ ├── padding │ │ │ ├── tc_nv │ │ │ └── vlan.trailer │ │ ├── routing │ │ │ ├── arp │ │ │ ├── bgp │ │ │ ├── dtp │ │ │ ├── hsrp │ │ │ ├── igmp │ │ │ ├── ospf │ │ │ ├── pim │ │ │ ├── stp │ │ │ ├── vlans │ │ │ ├── vpn │ │ │ └── vrrp │ │ └── vulnerabilities │ │ │ ├── http.authbasic │ │ │ ├── kerberos.weak │ │ │ ├── padding │ │ │ ├── sip.auth │ │ │ ├── tls.certs.weak │ │ │ ├── tls.ciphers.weak │ │ │ ├── tls.handshake.weak │ │ │ ├── tls.weak │ │ │ ├── vlan.trailer │ │ │ └── vrrp.no-auth │ ├── ftp │ ├── hsrp │ ├── http │ ├── http.authbasic │ ├── http.request.uri │ ├── icmp │ ├── icmp.padding.non-standard │ ├── icmpv6 │ ├── igmp │ ├── inbound │ ├── ip.proto253 │ ├── json │ ├── kerberos │ ├── kerberos.weak │ ├── large │ ├── ldap │ ├── lldp │ ├── mop │ ├── mysql │ ├── ntp │ ├── ospf │ ├── padding │ ├── pim │ ├── sip │ ├── sip.auth │ ├── snmp │ ├── snmp.community │ ├── ssh │ ├── stp │ ├── tc_nv │ ├── telnet │ ├── tftp │ ├── tls │ ├── tls.certs │ ├── tls.certs.weak │ ├── tls.ciphers.weak │ ├── tls.handshake.server │ ├── tls.handshake.weak │ ├── tls.weak │ ├── vlan.trailer │ ├── vlans │ ├── vpn │ ├── vrrp │ └── vrrp.no-auth └── misc │ ├── stdio │ └── validate ├── packet-monkey.sh └── tools ├── generate-other-with-bespoke.sh └── generate-other.sh /COPYING: -------------------------------------------------------------------------------- 1 | Copyright (c) 2024, Cisco International Ltd 2 | 3 | Redistribution and use in source and binary forms, with or without 4 | modification, are permitted provided that the following conditions are met: 5 | * Redistributions of source code must retain the above copyright 6 | notice, this list of conditions and the following disclaimer. 7 | * Redistributions in binary form must reproduce the above copyright 8 | notice, this list of conditions and the following disclaimer in the 9 | documentation and/or other materials provided with the distribution. 10 | * Neither the name of the Cisco International Ltd nor the 11 | names of its contributors may be used to endorse or promote products 12 | derived from this software without specific prior written permission. 13 | 14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 15 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 16 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 17 | DISCLAIMED. IN NO EVENT SHALL CISCO INTERNATIONAL LTD BE LIABLE FOR ANY 18 | DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 19 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 20 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 21 | ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 23 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # packet-monkey 2 | 3 | This repository contains a tool to analyse PCAPs using Wireshark filters, highlighting interesting packet flows. 4 | 5 | To use this tool: 6 | 7 | ```./packet-monkey.sh --type all --pcapfilename /path/to/file.pcap``` 8 | 9 | More complicated uses are also possible. 10 | 11 | For any queries about the contents of this repository please contact [Security Advisory EMEAR](mailto:css-adv-outreach@cisco.com). 12 | 13 | -------------------------------------------------------------------------------- /doc/AUTHORS: -------------------------------------------------------------------------------- 1 | Tim Brown 2 | -------------------------------------------------------------------------------- /doc/ChangeLog: -------------------------------------------------------------------------------- 1 | 2025-05-09 packet-monkey master 2 | 3 | * Merge feature branches from https://gitlab.com/Gzobra/packet-monkey 4 | * Add delete empty file, based on # lines in pcap 5 | * Bug fix: egrep which is now deprecated, switch to "grep -E" 6 | * Bug fix: Added option to delete empty files to the help text 7 | 8 | -- Tim Brown 9 | 10 | 2025-04-11 packet-monkey master 11 | 12 | * Added support for comments in filters 13 | 14 | -- Tim Brown 15 | 16 | 2025-04-07 packet-monkey master 17 | 18 | * Improved tls.weak filters 19 | * Added new filters 20 | * Added lldp filter 21 | * Added mysql filter 22 | * Updated other filter to exclude mysql and lldp 23 | 24 | -- Tim Brown 25 | 26 | 2025-03-31 packet-monkey master 27 | 28 | * Merge pull request #1 from iamleot/env-bash-shebang 29 | * Make bash shebangs more agnostic (do not rely on hardcoded `/bin/bash`) 30 | * Merge pull request #2 from iamleot/use-actual-and-in-tests 31 | * Do not use `-a` in test(1) 32 | * Updated doc/ChangeLog 33 | 34 | -- Tim Brown 35 | 36 | 2025-03-30 packet-monkey master 37 | 38 | * Bug fix: Updated the per-file licensing to close #3 39 | * Bug fix: Updated references to docs and CHANGELOG to doc and ChangeLog 40 | 41 | -- Tim Brown 42 | 43 | 2025-03-29 packet-monkey master 44 | 45 | * Added doc/HACKING, doc/ChangeLog 46 | 47 | -- Tim Brown 48 | 49 | 2025-03-28 packet-monkey 2021 - 2025 50 | 51 | * Merge branch 'master' of github.com:timb-machine/packet-monkey 52 | * Improved error handling as reported by @shhanif 53 | * Added tls.handshake.server filter 54 | * Added snmp.community filter 55 | * Updated README.md 56 | * Added COPYING 57 | * Added new filters 58 | * Fixed typo 59 | * Added new filters 60 | * Added tls.handshake.weak filter 61 | * Improved tls.certs.weak filter 62 | * Added tls.handshake.weak filter 63 | * Improved tls.certs.weak 64 | * Changed how generate-other.sh works to make customisation easier 65 | * Added new filters 66 | * Added support for extracting full streams 67 | * Initial commit 68 | 69 | -- Tim Brown 70 | -------------------------------------------------------------------------------- /doc/HACKING: -------------------------------------------------------------------------------- 1 | General: 2 | 3 | * doc/* exists for a reason, especially doc/ChangeLog 4 | * Changes should match commit messages, barring mistakes 5 | * "Bug fix:" should be used to identify minor changes due to 6 | coding errors 7 | * doc/ChangeLog should reference filename of changed files 8 | * Quote correctly 9 | * Use double-quotes, not single-quotes 10 | * Variable names should be descriptive 11 | * Reference variables as ${variablename} 12 | * "printf --" unless you have reason not to 13 | * Avoid unnecessary cats, never use two commands if one will do 14 | * No unnecessary new lines, the only blocks should be those 15 | introduced by code: if/then/else/fi etc 16 | * Redirects take the form >/path/to/redirect/to (i.e. no space) 17 | 18 | lib/misc/*: 19 | 20 | * New APIs can be freely added 21 | * Don't read _ if there's a chance the data may be useful later 22 | * Validate your input using lib/misc/validate 23 | 24 | lib/filters/*: 25 | 26 | * Wherever possible ensure you specify the layer 2/3 protocol 27 | e.g. udp, tcp minimum, before anything more specific 28 | * Do similar at layer 4, if the filter might mistakenly match on 29 | other protools 30 | -------------------------------------------------------------------------------- /lib/filters/arp: -------------------------------------------------------------------------------- 1 | arp 2 | -------------------------------------------------------------------------------- /lib/filters/auto_rp: -------------------------------------------------------------------------------- 1 | auto_rp 2 | -------------------------------------------------------------------------------- /lib/filters/bfd: -------------------------------------------------------------------------------- 1 | udp and bfd 2 | -------------------------------------------------------------------------------- /lib/filters/bgp: -------------------------------------------------------------------------------- 1 | tcp and bgp 2 | -------------------------------------------------------------------------------- /lib/filters/cdp: -------------------------------------------------------------------------------- 1 | cdp 2 | -------------------------------------------------------------------------------- /lib/filters/data: -------------------------------------------------------------------------------- 1 | data 2 | -------------------------------------------------------------------------------- /lib/filters/dhcp: -------------------------------------------------------------------------------- 1 | udp and dhcp 2 | -------------------------------------------------------------------------------- /lib/filters/dns: -------------------------------------------------------------------------------- 1 | udp and dns 2 | -------------------------------------------------------------------------------- /lib/filters/dtp: -------------------------------------------------------------------------------- 1 | dtp 2 | -------------------------------------------------------------------------------- /lib/filters/enabled/all/arp: -------------------------------------------------------------------------------- 1 | ../../arp -------------------------------------------------------------------------------- /lib/filters/enabled/all/auto_rp: -------------------------------------------------------------------------------- 1 | ../../auto_rp -------------------------------------------------------------------------------- /lib/filters/enabled/all/bfd: -------------------------------------------------------------------------------- 1 | ../../bfd -------------------------------------------------------------------------------- /lib/filters/enabled/all/bgp: -------------------------------------------------------------------------------- 1 | ../../bgp -------------------------------------------------------------------------------- /lib/filters/enabled/all/cdp: -------------------------------------------------------------------------------- 1 | ../../cdp -------------------------------------------------------------------------------- /lib/filters/enabled/all/data: -------------------------------------------------------------------------------- 1 | ../../data -------------------------------------------------------------------------------- /lib/filters/enabled/all/dhcp: -------------------------------------------------------------------------------- 1 | ../../dhcp -------------------------------------------------------------------------------- /lib/filters/enabled/all/dns: -------------------------------------------------------------------------------- 1 | ../../dns -------------------------------------------------------------------------------- /lib/filters/enabled/all/dtp: -------------------------------------------------------------------------------- 1 | ../../dtp -------------------------------------------------------------------------------- /lib/filters/enabled/all/ftp: -------------------------------------------------------------------------------- 1 | ../../ftp -------------------------------------------------------------------------------- /lib/filters/enabled/all/hsrp: -------------------------------------------------------------------------------- 1 | ../../hsrp -------------------------------------------------------------------------------- /lib/filters/enabled/all/http: -------------------------------------------------------------------------------- 1 | ../../http -------------------------------------------------------------------------------- /lib/filters/enabled/all/http.authbasic: -------------------------------------------------------------------------------- 1 | ../../http.authbasic -------------------------------------------------------------------------------- /lib/filters/enabled/all/http.request.uri: -------------------------------------------------------------------------------- 1 | ../../http.request.uri -------------------------------------------------------------------------------- /lib/filters/enabled/all/icmp: -------------------------------------------------------------------------------- 1 | ../../icmp -------------------------------------------------------------------------------- /lib/filters/enabled/all/icmp.padding.non-standard: -------------------------------------------------------------------------------- 1 | ../../icmp.padding.non-standard -------------------------------------------------------------------------------- /lib/filters/enabled/all/icmpv6: -------------------------------------------------------------------------------- 1 | ../../icmpv6 -------------------------------------------------------------------------------- /lib/filters/enabled/all/igmp: -------------------------------------------------------------------------------- 1 | ../../igmp -------------------------------------------------------------------------------- /lib/filters/enabled/all/inbound: -------------------------------------------------------------------------------- 1 | ../../inbound -------------------------------------------------------------------------------- /lib/filters/enabled/all/ip.proto253: -------------------------------------------------------------------------------- 1 | ../../ip.proto253 -------------------------------------------------------------------------------- /lib/filters/enabled/all/json: -------------------------------------------------------------------------------- 1 | ../../json -------------------------------------------------------------------------------- /lib/filters/enabled/all/kerberos: -------------------------------------------------------------------------------- 1 | ../../kerberos -------------------------------------------------------------------------------- /lib/filters/enabled/all/kerberos.weak: -------------------------------------------------------------------------------- 1 | ../../kerberos.weak -------------------------------------------------------------------------------- /lib/filters/enabled/all/large: -------------------------------------------------------------------------------- 1 | ../../large -------------------------------------------------------------------------------- /lib/filters/enabled/all/ldap: -------------------------------------------------------------------------------- 1 | ../../ldap -------------------------------------------------------------------------------- /lib/filters/enabled/all/lldp: -------------------------------------------------------------------------------- 1 | ../../lldp -------------------------------------------------------------------------------- /lib/filters/enabled/all/mop: -------------------------------------------------------------------------------- 1 | ../../mop -------------------------------------------------------------------------------- /lib/filters/enabled/all/mysql: -------------------------------------------------------------------------------- 1 | ../../mysql -------------------------------------------------------------------------------- /lib/filters/enabled/all/ntp: -------------------------------------------------------------------------------- 1 | ../../ntp -------------------------------------------------------------------------------- /lib/filters/enabled/all/ospf: -------------------------------------------------------------------------------- 1 | ../../ospf -------------------------------------------------------------------------------- /lib/filters/enabled/all/other: -------------------------------------------------------------------------------- 1 | !(arp) and !(auto_rp) and !(udp and bfd) and !(tcp and bgp) and !(cdp) and !(data) and !(udp and dhcp) and !(udp and dns) and !(dtp) and !(tcp and ftp) and !(udp and hsrp) and !(tcp and http) and !(tcp and http.authbasic) and !(tcp and http.request.uri) and !(icmp) and !(icmp and !(data.data contains 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f:20:21:22:23:24:25:26:27:28:29:2a:2b:2c:2d:2e:2f:30:31:32:33:34:35:36:37)) and !(icmpv6) and !(igmp) and !(tcp and tcp.flags.syn == 1 and tcp.flags.ack == 0) and !(ip.proto == 253) and !(data contains "\":") and !(udp and kerberos) and !(udp and (kerberos.etype < 18 or kerberos.etype == 23 or kerberos.etype == 24)) and !(ip.len > 1024) and !(tcp and ldap) and !(eth.type == 0x6001) and !(udp and ntp) and !(ospf) and !(eth.padding) and !(pim) and !(tcp and ssh) and !(stp) and !(tc_nv) and !(tcp and telnet) and !(udp and tftp) and !(tcp and tls) and !(tcp and tls.handshake.certificate) and !(tcp and tls.handshake.certificate and !(x509af.algorithm.id == 1.2.840.113549.1.1.11 or x509af.algorithm.id == 1.2.840.113549.1.1.1)) and !(tcp and tls.handshake.ciphersuite >= 0x0000 and tls.handshake.ciphersuite <= 0x0023) and !(tcp and tls.handshake.sig_hash_alg >= 0x0000 and tls.handshake.sig_hash_alg < 0x0401) and !(tcp and !(tls.record.version == 0x0301 and tls.handshake.version == 0x0303) and !(tls.record.version == 0x0303)) and !(vlan.id) and !(vlan.trailer) and !(udp and (isakmp or esp)) and !(vrrp) and !(vrrp.auth_type == 0) and !(udp and snmp) and !(udp and sip) and !(udp and sip.auth) and !(udp and snmp.community) and !(tcp and tls.handshake.type == 2) and !(tcp and mysql) and !(lldp) 2 | -------------------------------------------------------------------------------- /lib/filters/enabled/all/padding: -------------------------------------------------------------------------------- 1 | ../../padding -------------------------------------------------------------------------------- /lib/filters/enabled/all/pim: -------------------------------------------------------------------------------- 1 | ../../pim -------------------------------------------------------------------------------- /lib/filters/enabled/all/sip: -------------------------------------------------------------------------------- 1 | ../../sip -------------------------------------------------------------------------------- /lib/filters/enabled/all/sip.auth: -------------------------------------------------------------------------------- 1 | ../../sip.auth -------------------------------------------------------------------------------- /lib/filters/enabled/all/snmp: -------------------------------------------------------------------------------- 1 | ../../snmp -------------------------------------------------------------------------------- /lib/filters/enabled/all/snmp.community: -------------------------------------------------------------------------------- 1 | ../../snmp.community -------------------------------------------------------------------------------- /lib/filters/enabled/all/ssh: -------------------------------------------------------------------------------- 1 | ../../ssh -------------------------------------------------------------------------------- /lib/filters/enabled/all/stp: -------------------------------------------------------------------------------- 1 | ../../stp -------------------------------------------------------------------------------- /lib/filters/enabled/all/tc_nv: -------------------------------------------------------------------------------- 1 | ../../tc_nv -------------------------------------------------------------------------------- /lib/filters/enabled/all/telnet: -------------------------------------------------------------------------------- 1 | ../../telnet -------------------------------------------------------------------------------- /lib/filters/enabled/all/tftp: -------------------------------------------------------------------------------- 1 | ../../tftp -------------------------------------------------------------------------------- /lib/filters/enabled/all/tls: -------------------------------------------------------------------------------- 1 | ../../tls -------------------------------------------------------------------------------- /lib/filters/enabled/all/tls.certs: -------------------------------------------------------------------------------- 1 | ../../tls.certs -------------------------------------------------------------------------------- /lib/filters/enabled/all/tls.certs.weak: -------------------------------------------------------------------------------- 1 | ../../tls.certs.weak -------------------------------------------------------------------------------- /lib/filters/enabled/all/tls.ciphers.weak: -------------------------------------------------------------------------------- 1 | ../../tls.ciphers.weak -------------------------------------------------------------------------------- /lib/filters/enabled/all/tls.handshake.server: -------------------------------------------------------------------------------- 1 | ../../tls.handshake.server -------------------------------------------------------------------------------- /lib/filters/enabled/all/tls.handshake.weak: -------------------------------------------------------------------------------- 1 | ../../tls.handshake.weak -------------------------------------------------------------------------------- /lib/filters/enabled/all/tls.weak: -------------------------------------------------------------------------------- 1 | ../../tls.weak -------------------------------------------------------------------------------- /lib/filters/enabled/all/vlan.trailer: -------------------------------------------------------------------------------- 1 | ../../vlan.trailer -------------------------------------------------------------------------------- /lib/filters/enabled/all/vlans: -------------------------------------------------------------------------------- 1 | ../../vlans -------------------------------------------------------------------------------- /lib/filters/enabled/all/vpn: -------------------------------------------------------------------------------- 1 | ../../vpn -------------------------------------------------------------------------------- /lib/filters/enabled/all/vrrp: -------------------------------------------------------------------------------- 1 | ../../vrrp -------------------------------------------------------------------------------- /lib/filters/enabled/all/vrrp.no-auth: -------------------------------------------------------------------------------- 1 | ../../vrrp.no-auth -------------------------------------------------------------------------------- /lib/filters/enabled/application/data: -------------------------------------------------------------------------------- 1 | ../../data -------------------------------------------------------------------------------- /lib/filters/enabled/application/http: -------------------------------------------------------------------------------- 1 | ../../http -------------------------------------------------------------------------------- /lib/filters/enabled/application/http.request.uri: -------------------------------------------------------------------------------- 1 | ../../http.request.uri -------------------------------------------------------------------------------- /lib/filters/enabled/application/json: -------------------------------------------------------------------------------- 1 | ../../json -------------------------------------------------------------------------------- /lib/filters/enabled/application/kerberos: -------------------------------------------------------------------------------- 1 | ../../kerberos -------------------------------------------------------------------------------- /lib/filters/enabled/application/ldap: -------------------------------------------------------------------------------- 1 | ../../ldap -------------------------------------------------------------------------------- /lib/filters/enabled/application/mysql: -------------------------------------------------------------------------------- 1 | ../../mysql -------------------------------------------------------------------------------- /lib/filters/enabled/application/ntp: -------------------------------------------------------------------------------- 1 | ../../ntp -------------------------------------------------------------------------------- /lib/filters/enabled/application/sip: -------------------------------------------------------------------------------- 1 | ../../sip -------------------------------------------------------------------------------- /lib/filters/enabled/application/snmp: -------------------------------------------------------------------------------- 1 | ../../snmp -------------------------------------------------------------------------------- /lib/filters/enabled/application/ssh: -------------------------------------------------------------------------------- 1 | ../../ssh -------------------------------------------------------------------------------- /lib/filters/enabled/application/tftp: -------------------------------------------------------------------------------- 1 | ../../tftp -------------------------------------------------------------------------------- /lib/filters/enabled/application/tls: -------------------------------------------------------------------------------- 1 | ../../tls -------------------------------------------------------------------------------- /lib/filters/enabled/application/tls.handshake.server: -------------------------------------------------------------------------------- 1 | ../../tls.handshake.server -------------------------------------------------------------------------------- /lib/filters/enabled/bespoke/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/timb-machine/packet-monkey/423ce9b35b4dd3697d3d3f2ca1dec01643abf159/lib/filters/enabled/bespoke/.gitkeep -------------------------------------------------------------------------------- /lib/filters/enabled/broadcast/arp: -------------------------------------------------------------------------------- 1 | ../../arp -------------------------------------------------------------------------------- /lib/filters/enabled/broadcast/cdp: -------------------------------------------------------------------------------- 1 | ../../cdp -------------------------------------------------------------------------------- /lib/filters/enabled/broadcast/dhcp: -------------------------------------------------------------------------------- 1 | ../../dhcp -------------------------------------------------------------------------------- /lib/filters/enabled/broadcast/dtp: -------------------------------------------------------------------------------- 1 | ../../dtp -------------------------------------------------------------------------------- /lib/filters/enabled/broadcast/hsrp: -------------------------------------------------------------------------------- 1 | ../../hsrp -------------------------------------------------------------------------------- /lib/filters/enabled/broadcast/icmpv6: -------------------------------------------------------------------------------- 1 | ../../icmpv6 -------------------------------------------------------------------------------- /lib/filters/enabled/broadcast/igmp: -------------------------------------------------------------------------------- 1 | ../../igmp -------------------------------------------------------------------------------- /lib/filters/enabled/broadcast/lldp: -------------------------------------------------------------------------------- 1 | ../../lldp -------------------------------------------------------------------------------- /lib/filters/enabled/broadcast/stp: -------------------------------------------------------------------------------- 1 | ../../stp -------------------------------------------------------------------------------- /lib/filters/enabled/broadcast/vrrp: -------------------------------------------------------------------------------- 1 | ../../vrrp -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/arp: -------------------------------------------------------------------------------- 1 | ../../arp -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/bfd: -------------------------------------------------------------------------------- 1 | ../../bfd -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/cdp: -------------------------------------------------------------------------------- 1 | ../../cdp -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/dhcp: -------------------------------------------------------------------------------- 1 | ../../dhcp -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/dns: -------------------------------------------------------------------------------- 1 | ../../dns -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/dtp: -------------------------------------------------------------------------------- 1 | ../../dtp -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/hsrp: -------------------------------------------------------------------------------- 1 | ../../hsrp -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/icmp: -------------------------------------------------------------------------------- 1 | ../../icmp -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/icmpv6: -------------------------------------------------------------------------------- 1 | ../../icmpv6 -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/igmp: -------------------------------------------------------------------------------- 1 | ../../igmp -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/inbound: -------------------------------------------------------------------------------- 1 | ../../inbound -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/kerberos: -------------------------------------------------------------------------------- 1 | ../../kerberos -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/lldp: -------------------------------------------------------------------------------- 1 | ../../lldp -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/ntp: -------------------------------------------------------------------------------- 1 | ../../ntp -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/snmp: -------------------------------------------------------------------------------- 1 | ../../snmp -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/stp: -------------------------------------------------------------------------------- 1 | ../../stp -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/tls.certs: -------------------------------------------------------------------------------- 1 | ../../tls.certs -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/vlans: -------------------------------------------------------------------------------- 1 | ../../vlans -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/vpn: -------------------------------------------------------------------------------- 1 | ../../vpn -------------------------------------------------------------------------------- /lib/filters/enabled/discovery/vrrp: -------------------------------------------------------------------------------- 1 | ../../vrrp -------------------------------------------------------------------------------- /lib/filters/enabled/insecure/ftp: -------------------------------------------------------------------------------- 1 | ../../ftp -------------------------------------------------------------------------------- /lib/filters/enabled/insecure/http: -------------------------------------------------------------------------------- 1 | ../../http -------------------------------------------------------------------------------- /lib/filters/enabled/insecure/http.authbasic: -------------------------------------------------------------------------------- 1 | ../../http.authbasic -------------------------------------------------------------------------------- /lib/filters/enabled/insecure/kerberos.weak: -------------------------------------------------------------------------------- 1 | ../../kerberos.weak -------------------------------------------------------------------------------- /lib/filters/enabled/insecure/ldap: -------------------------------------------------------------------------------- 1 | ../../ldap -------------------------------------------------------------------------------- /lib/filters/enabled/insecure/snmp: -------------------------------------------------------------------------------- 1 | ../../snmp -------------------------------------------------------------------------------- /lib/filters/enabled/insecure/snmp.community: -------------------------------------------------------------------------------- 1 | ../../snmp.community -------------------------------------------------------------------------------- /lib/filters/enabled/insecure/telnet: -------------------------------------------------------------------------------- 1 | ../../telnet -------------------------------------------------------------------------------- /lib/filters/enabled/insecure/tls.certs.weak: -------------------------------------------------------------------------------- 1 | ../../tls.certs.weak -------------------------------------------------------------------------------- /lib/filters/enabled/insecure/tls.ciphers.weak: -------------------------------------------------------------------------------- 1 | ../../tls.ciphers.weak -------------------------------------------------------------------------------- /lib/filters/enabled/insecure/tls.handshake.weak: -------------------------------------------------------------------------------- 1 | ../../tls.handshake.weak -------------------------------------------------------------------------------- /lib/filters/enabled/insecure/tls.weak: -------------------------------------------------------------------------------- 1 | ../../tls.weak -------------------------------------------------------------------------------- /lib/filters/enabled/insecure/vrrp.no-auth: -------------------------------------------------------------------------------- 1 | ../../vrrp.no-auth -------------------------------------------------------------------------------- /lib/filters/enabled/oddities/bfd: -------------------------------------------------------------------------------- 1 | ../../bfd -------------------------------------------------------------------------------- /lib/filters/enabled/oddities/icmp.padding.non-standard: -------------------------------------------------------------------------------- 1 | ../../icmp.padding.non-standard -------------------------------------------------------------------------------- /lib/filters/enabled/oddities/ip.proto253: -------------------------------------------------------------------------------- 1 | ../../ip.proto253 -------------------------------------------------------------------------------- /lib/filters/enabled/oddities/large: -------------------------------------------------------------------------------- 1 | ../../large -------------------------------------------------------------------------------- /lib/filters/enabled/oddities/padding: -------------------------------------------------------------------------------- 1 | ../../padding -------------------------------------------------------------------------------- /lib/filters/enabled/oddities/tc_nv: -------------------------------------------------------------------------------- 1 | ../../tc_nv -------------------------------------------------------------------------------- /lib/filters/enabled/oddities/vlan.trailer: -------------------------------------------------------------------------------- 1 | ../../vlan.trailer -------------------------------------------------------------------------------- /lib/filters/enabled/routing/arp: -------------------------------------------------------------------------------- 1 | ../../arp -------------------------------------------------------------------------------- /lib/filters/enabled/routing/bgp: -------------------------------------------------------------------------------- 1 | ../../bgp -------------------------------------------------------------------------------- /lib/filters/enabled/routing/dtp: -------------------------------------------------------------------------------- 1 | ../../dtp -------------------------------------------------------------------------------- /lib/filters/enabled/routing/hsrp: -------------------------------------------------------------------------------- 1 | ../../hsrp -------------------------------------------------------------------------------- /lib/filters/enabled/routing/igmp: -------------------------------------------------------------------------------- 1 | ../../igmp -------------------------------------------------------------------------------- /lib/filters/enabled/routing/ospf: -------------------------------------------------------------------------------- 1 | ../../ospf -------------------------------------------------------------------------------- /lib/filters/enabled/routing/pim: -------------------------------------------------------------------------------- 1 | ../../pim -------------------------------------------------------------------------------- /lib/filters/enabled/routing/stp: -------------------------------------------------------------------------------- 1 | ../../stp -------------------------------------------------------------------------------- /lib/filters/enabled/routing/vlans: -------------------------------------------------------------------------------- 1 | ../../vlans -------------------------------------------------------------------------------- /lib/filters/enabled/routing/vpn: -------------------------------------------------------------------------------- 1 | ../../vpn -------------------------------------------------------------------------------- /lib/filters/enabled/routing/vrrp: -------------------------------------------------------------------------------- 1 | ../../vrrp -------------------------------------------------------------------------------- /lib/filters/enabled/vulnerabilities/http.authbasic: -------------------------------------------------------------------------------- 1 | ../../http.authbasic -------------------------------------------------------------------------------- /lib/filters/enabled/vulnerabilities/kerberos.weak: -------------------------------------------------------------------------------- 1 | ../../kerberos.weak -------------------------------------------------------------------------------- /lib/filters/enabled/vulnerabilities/padding: -------------------------------------------------------------------------------- 1 | ../../padding -------------------------------------------------------------------------------- /lib/filters/enabled/vulnerabilities/sip.auth: -------------------------------------------------------------------------------- 1 | ../../sip.auth -------------------------------------------------------------------------------- /lib/filters/enabled/vulnerabilities/tls.certs.weak: -------------------------------------------------------------------------------- 1 | ../../tls.certs.weak -------------------------------------------------------------------------------- /lib/filters/enabled/vulnerabilities/tls.ciphers.weak: -------------------------------------------------------------------------------- 1 | ../../tls.ciphers.weak -------------------------------------------------------------------------------- /lib/filters/enabled/vulnerabilities/tls.handshake.weak: -------------------------------------------------------------------------------- 1 | ../../tls.handshake.weak -------------------------------------------------------------------------------- /lib/filters/enabled/vulnerabilities/tls.weak: -------------------------------------------------------------------------------- 1 | ../../tls.weak -------------------------------------------------------------------------------- /lib/filters/enabled/vulnerabilities/vlan.trailer: -------------------------------------------------------------------------------- 1 | ../../vlan.trailer -------------------------------------------------------------------------------- /lib/filters/enabled/vulnerabilities/vrrp.no-auth: -------------------------------------------------------------------------------- 1 | ../../vrrp.no-auth -------------------------------------------------------------------------------- /lib/filters/ftp: -------------------------------------------------------------------------------- 1 | tcp and ftp 2 | -------------------------------------------------------------------------------- /lib/filters/hsrp: -------------------------------------------------------------------------------- 1 | udp and hsrp 2 | -------------------------------------------------------------------------------- /lib/filters/http: -------------------------------------------------------------------------------- 1 | tcp and http 2 | -------------------------------------------------------------------------------- /lib/filters/http.authbasic: -------------------------------------------------------------------------------- 1 | tcp and http.authbasic 2 | -------------------------------------------------------------------------------- /lib/filters/http.request.uri: -------------------------------------------------------------------------------- 1 | tcp and http.request.uri 2 | -------------------------------------------------------------------------------- /lib/filters/icmp: -------------------------------------------------------------------------------- 1 | icmp 2 | -------------------------------------------------------------------------------- /lib/filters/icmp.padding.non-standard: -------------------------------------------------------------------------------- 1 | icmp and !(data.data contains 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f:20:21:22:23:24:25:26:27:28:29:2a:2b:2c:2d:2e:2f:30:31:32:33:34:35:36:37) 2 | -------------------------------------------------------------------------------- /lib/filters/icmpv6: -------------------------------------------------------------------------------- 1 | icmpv6 2 | -------------------------------------------------------------------------------- /lib/filters/igmp: -------------------------------------------------------------------------------- 1 | igmp 2 | -------------------------------------------------------------------------------- /lib/filters/inbound: -------------------------------------------------------------------------------- 1 | tcp and tcp.flags.syn == 1 and tcp.flags.ack == 0 2 | -------------------------------------------------------------------------------- /lib/filters/ip.proto253: -------------------------------------------------------------------------------- 1 | ip.proto == 253 2 | -------------------------------------------------------------------------------- /lib/filters/json: -------------------------------------------------------------------------------- 1 | data contains "\":" 2 | -------------------------------------------------------------------------------- /lib/filters/kerberos: -------------------------------------------------------------------------------- 1 | udp and kerberos 2 | -------------------------------------------------------------------------------- /lib/filters/kerberos.weak: -------------------------------------------------------------------------------- 1 | udp and (kerberos.etype < 18 or kerberos.etype == 23 or kerberos.etype == 24) 2 | -------------------------------------------------------------------------------- /lib/filters/large: -------------------------------------------------------------------------------- 1 | ip.len > 1024 2 | -------------------------------------------------------------------------------- /lib/filters/ldap: -------------------------------------------------------------------------------- 1 | tcp and ldap 2 | -------------------------------------------------------------------------------- /lib/filters/lldp: -------------------------------------------------------------------------------- 1 | lldp 2 | -------------------------------------------------------------------------------- /lib/filters/mop: -------------------------------------------------------------------------------- 1 | eth.type == 0x6001 2 | -------------------------------------------------------------------------------- /lib/filters/mysql: -------------------------------------------------------------------------------- 1 | tcp and mysql 2 | -------------------------------------------------------------------------------- /lib/filters/ntp: -------------------------------------------------------------------------------- 1 | udp and ntp 2 | -------------------------------------------------------------------------------- /lib/filters/ospf: -------------------------------------------------------------------------------- 1 | ospf 2 | -------------------------------------------------------------------------------- /lib/filters/padding: -------------------------------------------------------------------------------- 1 | eth.padding 2 | -------------------------------------------------------------------------------- /lib/filters/pim: -------------------------------------------------------------------------------- 1 | pim 2 | -------------------------------------------------------------------------------- /lib/filters/sip: -------------------------------------------------------------------------------- 1 | udp and sip 2 | -------------------------------------------------------------------------------- /lib/filters/sip.auth: -------------------------------------------------------------------------------- 1 | udp and sip.auth 2 | -------------------------------------------------------------------------------- /lib/filters/snmp: -------------------------------------------------------------------------------- 1 | udp and snmp 2 | -------------------------------------------------------------------------------- /lib/filters/snmp.community: -------------------------------------------------------------------------------- 1 | udp and snmp.community 2 | -------------------------------------------------------------------------------- /lib/filters/ssh: -------------------------------------------------------------------------------- 1 | tcp and ssh 2 | -------------------------------------------------------------------------------- /lib/filters/stp: -------------------------------------------------------------------------------- 1 | stp 2 | -------------------------------------------------------------------------------- /lib/filters/tc_nv: -------------------------------------------------------------------------------- 1 | tc_nv 2 | -------------------------------------------------------------------------------- /lib/filters/telnet: -------------------------------------------------------------------------------- 1 | tcp and telnet 2 | -------------------------------------------------------------------------------- /lib/filters/tftp: -------------------------------------------------------------------------------- 1 | udp and tftp 2 | -------------------------------------------------------------------------------- /lib/filters/tls: -------------------------------------------------------------------------------- 1 | tcp and tls 2 | -------------------------------------------------------------------------------- /lib/filters/tls.certs: -------------------------------------------------------------------------------- 1 | tcp and tls.handshake.certificate 2 | -------------------------------------------------------------------------------- /lib/filters/tls.certs.weak: -------------------------------------------------------------------------------- 1 | tcp and tls.handshake.certificate and !(x509af.algorithm.id == 1.2.840.113549.1.1.11 or x509af.algorithm.id == 1.2.840.113549.1.1.1) 2 | -------------------------------------------------------------------------------- /lib/filters/tls.ciphers.weak: -------------------------------------------------------------------------------- 1 | tcp and tls.handshake.ciphersuite >= 0x0000 and tls.handshake.ciphersuite <= 0x0023 2 | -------------------------------------------------------------------------------- /lib/filters/tls.handshake.server: -------------------------------------------------------------------------------- 1 | tcp and tls.handshake.type == 2 2 | -------------------------------------------------------------------------------- /lib/filters/tls.handshake.weak: -------------------------------------------------------------------------------- 1 | tcp and tls.handshake.sig_hash_alg >= 0x0000 and tls.handshake.sig_hash_alg < 0x0401 2 | -------------------------------------------------------------------------------- /lib/filters/tls.weak: -------------------------------------------------------------------------------- 1 | tcp and tls and !(tls.record.version == 0x0301 and tls.handshake.version == 0x0303) and !(tls.record.version == 0x0303) 2 | -------------------------------------------------------------------------------- /lib/filters/vlan.trailer: -------------------------------------------------------------------------------- 1 | vlan.trailer 2 | -------------------------------------------------------------------------------- /lib/filters/vlans: -------------------------------------------------------------------------------- 1 | vlan.id 2 | -------------------------------------------------------------------------------- /lib/filters/vpn: -------------------------------------------------------------------------------- 1 | udp and (isakmp or esp) 2 | -------------------------------------------------------------------------------- /lib/filters/vrrp: -------------------------------------------------------------------------------- 1 | vrrp 2 | -------------------------------------------------------------------------------- /lib/filters/vrrp.no-auth: -------------------------------------------------------------------------------- 1 | vrrp.auth_type == 0 2 | -------------------------------------------------------------------------------- /lib/misc/stdio: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright (c) 2021-2025, Tim Brown 3 | # Copyright (c) 2025, Cisco International Ltd 4 | # 5 | # Redistribution and use in source and binary forms, with or without 6 | # modification, are permitted provided that the following conditions are met: 7 | # * Redistributions of source code must retain the above copyright 8 | # notice, this list of conditions and the following disclaimer. 9 | # * Redistributions in binary form must reproduce the above copyright 10 | # notice, this list of conditions and the following disclaimer in the 11 | # documentation and/or other materials provided with the distribution. 12 | # * Neither the name of the Cisco International Ltd nor the 13 | # names of its contributors may be used to endorse or promote products 14 | # derived from this software without specific prior written permission. 15 | # 16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 17 | # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 | # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | # DISCLAIMED. IN NO EVENT SHALL CISCO INTERNATIONAL LTD BE LIABLE FOR ANY 20 | # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 | # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 23 | # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 25 | # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | 27 | if [ -z "${stdioincluded}" ] 28 | then 29 | 30 | stdioincluded=1 31 | 32 | . lib/misc/validate 33 | 34 | stdio_message_log () { 35 | check="${1}" 36 | message="${2}" 37 | [ "$(validate_is_string "${check}")" -eq 1 ] || false 38 | [ "$(validate_is_string "${message}")" -eq 1 ] || false 39 | if [ "${VERBOSE}" -ge 1 ] 40 | then 41 | stdio_format_message "32" "I" "${check}" "${message}" 42 | fi 43 | } 44 | 45 | stdio_message_warn () { 46 | check="${1}" 47 | message="${2}" 48 | [ "$(validate_is_string "${check}")" -eq 1 ] || false 49 | [ "$(validate_is_string "${message}")" -eq 1 ] || false 50 | stdio_format_message "33" "W" "${check}" "${message}" 51 | } 52 | 53 | stdio_message_debug () { 54 | check="${1}" 55 | message="${2}" 56 | [ "$(validate_is_string "${check}")" -eq 1 ] || false 57 | [ "$(validate_is_string "${message}")" -eq 1 ] || false 58 | if [ "${VERBOSE}" -ge 2 ] 59 | then 60 | stdio_format_message "35" "D" "${check}" "${message}" >&2 61 | fi 62 | } 63 | 64 | stdio_message_error () { 65 | check="${1}" 66 | message="${2}" 67 | [ "$(validate_is_string "${check}")" -eq 1 ] || false 68 | [ "$(validate_is_string "${message}")" -eq 1 ] || false 69 | stdio_format_message "31" "E" "${check}" "${message}" >&2 70 | } 71 | 72 | stdio_format_message () { 73 | color="${1}" 74 | type="${2}" 75 | check="${3}" 76 | message="${4}" 77 | [ "$(validate_is_string "${type}")" -eq 1 ] || false 78 | [ "$(validate_is_string "${check}")" -eq 1 ] || false 79 | [ "$(validate_is_string "${message}")" -eq 1 ] || false 80 | [ "$(validate_is_number "${color}")" -eq 1 ] || false 81 | if [ "${COLORING}" -eq 1 ] 82 | then 83 | printf -- "\033[%sm%s: [%s] %s\033[m\n" "${color}" "${type}" "${check}" "${message}" 84 | else 85 | printf -- "%s: [%s] %s\n" "${type}" "${check}" "${message}" 86 | fi 87 | } 88 | 89 | fi 90 | -------------------------------------------------------------------------------- /lib/misc/validate: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Copyright (c) 2021-2025, Tim Brown 3 | # Copyright (c) 2025, Cisco International Ltd 4 | # 5 | # Redistribution and use in source and binary forms, with or without 6 | # modification, are permitted provided that the following conditions are met: 7 | # * Redistributions of source code must retain the above copyright 8 | # notice, this list of conditions and the following disclaimer. 9 | # * Redistributions in binary form must reproduce the above copyright 10 | # notice, this list of conditions and the following disclaimer in the 11 | # documentation and/or other materials provided with the distribution. 12 | # * Neither the name of the Cisco International Ltd nor the 13 | # names of its contributors may be used to endorse or promote products 14 | # derived from this software without specific prior written permission. 15 | # 16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 17 | # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 | # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | # DISCLAIMED. IN NO EVENT SHALL CISCO INTERNATIONAL LTD BE LIABLE FOR ANY 20 | # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 | # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 23 | # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 25 | # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | 27 | if [ -z "${validateincluded}" ] 28 | then 29 | 30 | validateincluded=1 31 | 32 | . lib/misc/stdio 33 | 34 | validate_matches_regex () { 35 | value="${1}" 36 | regex="${2}" 37 | if [ -n "$(printf "%s" "${value}" | grep -E -- "$regex")" ] 38 | then 39 | printf -- "1\n" 40 | else 41 | printf -- "0\n" 42 | fi 43 | } 44 | 45 | validate_is_string () { 46 | value="${1}" 47 | if [ "$(validate_matches_regex "${value}" ".*")" -eq 1 ] 48 | then 49 | printf -- "1\n" 50 | else 51 | stdio_message_error "validate" "invalid string: ${value}" 52 | printf -- "0\n" 53 | fi 54 | } 55 | 56 | validate_is_number () { 57 | value="${1}" 58 | if [ "$(validate_matches_regex "${value}" "^[0-9]+$")" -eq 1 ] 59 | then 60 | printf -- "1\n" 61 | else 62 | stdio_message_error "validate" "invalid number: ${value}" 63 | printf -- "0\n" 64 | fi 65 | } 66 | 67 | validate_is_boolean () { 68 | value="${1}" 69 | if [ "$(validate_is_regex "${value}" "^[0-1]$")" -eq 1 ] 70 | then 71 | printf -- "1\n" 72 | else 73 | stdio_message_error "validate" "invalid boolean: ${value}" 74 | printf -- "0\n" 75 | fi 76 | } 77 | 78 | fi 79 | -------------------------------------------------------------------------------- /packet-monkey.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright (c) 2021-2025, Tim Brown 3 | # Copyright (c) 2021-2025, Cisco International Ltd 4 | # 5 | # Redistribution and use in source and binary forms, with or without 6 | # modification, are permitted provided that the following conditions are met: 7 | # * Redistributions of source code must retain the above copyright 8 | # notice, this list of conditions and the following disclaimer. 9 | # * Redistributions in binary form must reproduce the above copyright 10 | # notice, this list of conditions and the following disclaimer in the 11 | # documentation and/or other materials provided with the distribution. 12 | # * Neither the name of the Cisco International Ltd nor the 13 | # names of its contributors may be used to endorse or promote products 14 | # derived from this software without specific prior written permission. 15 | # 16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 17 | # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 | # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | # DISCLAIMED. IN NO EVENT SHALL CISCO INTERNATIONAL LTD BE LIABLE FOR ANY 20 | # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 | # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 23 | # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 25 | # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | 27 | . lib/misc/stdio 28 | 29 | header () { 30 | printf " _ _ _ \n" 31 | printf " _ __ __ _ ___| | _____| |_ _ __ ___ ___ _ __ | | _____ _ _ \n" 32 | printf "| '_ \ / _\` |/ __| |/ / _ \ __|____| '_ \` _ \ / _ \| '_ \| |/ / _ \ | | |\n" 33 | printf "| |_) | (_| | (__| < __/ ||_____| | | | | | (_) | | | | < __/ |_| |\n" 34 | printf "| .__/ \__,_|\___|_|\_\___|\__| |_| |_| |_|\___/|_| |_|_|\_\___|\__, |\n" 35 | printf "|_| |___/ \n" 36 | printf "\n" 37 | printf " =[ @timb_machine ]=\n" 38 | printf "\n" 39 | } 40 | 41 | version () { 42 | header 43 | preamble 44 | printf "Brought to you by:\n" 45 | printf "\n" 46 | cat doc/AUTHORS 47 | exit 1 48 | } 49 | 50 | preamble () { 51 | printf "Shell script to analyse PCAPs using Wireshark filters.\n\n" 52 | } 53 | 54 | usage () { 55 | header 56 | preamble 57 | printf "Usage: %s\n" "${0}" 58 | printf "\n" 59 | printf "\t--help\tdisplay this help and exit\n" 60 | printf "\t--version\tdisplay version and exit\n" 61 | printf "\t--color\tenable output coloring\n" 62 | printf "\t--delemptypcap\tdelete empty pcap slices\"; 63 | printf "\t--verbose\tverbose level (0-2, default: 1)\n" 64 | printf "\t--type\tselect from one of the following filter types:\n" 65 | for filtertype in lib/filters/enabled/* 66 | do 67 | printf "\t\t%s\n" "$(basename "${filtertype}")" 68 | done 69 | printf "\t--filters\tprovide a comma separated list of filters to run, select from the following filters:\n" 70 | for filter in lib/filters/* 71 | do 72 | if [ "$(basename "${filter}")" != "enabled" ] 73 | then 74 | printf "\t\t%s\n" "$(basename "${filter}")" 75 | fi 76 | done 77 | printf "\t--streams\tdump full streams\n" 78 | printf "\t--pcapfilename\tprovide a PCAP to process\n" 79 | exit 1 80 | } 81 | 82 | # TODO make it use lib/misc/validate 83 | COLORING="0" 84 | VERBOSE="1" 85 | DELETING="0" 86 | TYPE="all" 87 | FILTERS="" 88 | STREAMS="0" 89 | PCAPFILENAME="" 90 | while [ -n "${1}" ] 91 | do 92 | case "${1}" in 93 | --help|-h) 94 | usage 95 | ;; 96 | --version|-v|-V) 97 | version 98 | ;; 99 | --color) 100 | COLORING="1" 101 | ;; 102 | --verbose) 103 | shift 104 | VERBOSE="${1}" 105 | ;; 106 | --delemptypcap|-d) 107 | DELETING="1" 108 | ;; 109 | --type|-t) 110 | shift 111 | TYPE="${1}" 112 | ;; 113 | --filters|-f) 114 | shift 115 | FILTERS="${1}" 116 | ;; 117 | --streams|-s) 118 | STREAMS="1" 119 | ;; 120 | --pcapfilename|-p) 121 | shift 122 | PCAPFILENAME="${1}" 123 | esac 124 | shift 125 | done 126 | header 127 | if [ "${VERBOSE}" != "0" ] && [ "${VERBOSE}" != "1" ] && [ "${VERBOSE}" != "2" ] 128 | then 129 | stdio_message_error "packet-monkey" "the provided verbose level ${VERBOSE} is invalid - use 0, 1 or 2 next time" 130 | VERBOSE="1" 131 | fi 132 | if [ ! -e "${PCAPFILENAME}" ] 133 | then 134 | stdio_message_error "packet-monkey" "the provided pcap file '${PCAPFILENAME}' is invalid" 135 | exit 1 136 | fi 137 | if [ -n "${FILTERS}" ] 138 | then 139 | for filterfilename in $(printf -- "%s" "${FILTERS}" | tr -d " " | tr "," " ") 140 | do 141 | if [ ! -e "lib/filters/${filterfilename}" ] 142 | then 143 | stdio_message_error "packet-monkey" "the provided filter name '${filterfilename}' does not exist" 144 | else 145 | filtername="$(basename "${filterfilename}")" 146 | outputfilename="$(basename "${PCAPFILENAME}" | sed "s/.pcap//g")-${filtername}.pcap" 147 | filter="$(cat "lib/filters/${filterfilename}" | grep -v "^#")" 148 | stdio_message_log "packet-monkey" "${filtername}: ${filter}" 149 | if [ "${STREAMS}" -eq 1 ] && [ -n "$(printf -- "%s" "${filter}" | grep "tcp")" ] 150 | then 151 | stdio_message_log "packet-monkey" "${filtername}: mangling tcp sessions" 152 | stdio_message_debug "tshark" "$(tshark -r "${PCAPFILENAME}" -T fields -e tcp.srcport -2 -R "${filter}" | awk '{ printf(" %s tcp.port == %s", sep, $1); sep="||" }')" 153 | tshark -r "${PCAPFILENAME}" -w "${outputfilename}" -2 -R "$(tshark -r "${PCAPFILENAME}" -T fields -e tcp.srcport -2 -R "${filter}" | awk '{ printf("%s tcp.port == %s", sep, $1); sep="||" }')" 154 | else 155 | if [ "${STREAMS}" -eq 1 ] && [ -n "$(printf -- "%s" "${filter}" | grep "udp")" ] 156 | then 157 | stdio_message_log "packet-monkey" "${filtername}: mangling udp sessions" 158 | tshark -r "${PCAPFILENAME}" -w "${outputfilename}" -2 -R "$(tshark -r "${PCAPFILENAME}" -T fields -e udp.srcport -2 -R "${filter}" | awk '{ printf(" %s udp.port == %s", sep, $1); sep="||" }')" 159 | else 160 | tshark -r "${PCAPFILENAME}" -w "${outputfilename}" -2 -R "${filter}" 161 | fi 162 | fi 163 | du -sh "${outputfilename}" 164 | fi 165 | done 166 | else 167 | if [ ! -d "lib/filters/enabled/${TYPE}" ] 168 | then 169 | stdio_message_error "packet-monkey" "the provided filter type '${TYPE}' does not exist" 170 | else 171 | for filterfilename in lib/filters/enabled/${TYPE}/* 172 | do 173 | filtername="$(basename "${filterfilename}")" 174 | outputfilename="$(basename "${PCAPFILENAME}" | sed "s/.pcap//g")-${filtername}.pcap" 175 | filter="$(cat "${filterfilename}" | grep -v "^#")" 176 | stdio_message_log "packet-monkey" "${filtername}: ${filter}" 177 | if [ "${STREAMS}" -eq 1 ] && [ -n "$(printf -- "%s" "${filter}" | grep "tcp")" ] 178 | then 179 | stdio_message_log "packet-monkey" "${filtername}: mangling tcp sessions" 180 | tshark -r "${PCAPFILENAME}" -w "${outputfilename}" -2 -R "$(tshark -r "${PCAPFILENAME}" -T fields -e tcp.srcport -2 -R "${filter}" | awk '{ printf("%s tcp.port == %s", sep, $1); sep="||" }')" 181 | else 182 | if [ "${STREAMS}" -eq 1 ] && [ -n "$(printf -- "%s" "${filter}" | grep "udp")" ] 183 | then 184 | stdio_message_log "packet-monkey" "${filtername}: mangling udp sessions" 185 | tshark -r "${PCAPFILENAME}" -w "${outputfilename}" -2 -R "$(tshark -r "${PCAPFILENAME}" -T fields -e udp.srcport -2 -R "${filter}" | awk '{ printf("%s udp.port == %s", sep, $1); sep="||" }')" 186 | else 187 | tshark -r "${PCAPFILENAME}" -w "${outputfilename}" -2 -R "${filter}" 188 | fi 189 | fi 190 | du -sh "${outputfilename}" 191 | done 192 | fi 193 | fi 194 | 195 | if [ "${DELETING}" -eq 1 ] 196 | then 197 | stdio_message_log "packet-monkey" "Checking generated pcap files, deleting the empty one" 198 | BASEFN=$(basename "${PCAPFILENAME}" | sed "s/.pcap//g") 199 | for pcapfile in $(ls ${BASEFN}-*.pcap) 200 | do 201 | if [ -e ${pcapfile} -a $(wc -l ${pcapfile} | awk '{print $1}') -eq 2 ] 202 | then 203 | rm ${pcapfile} 204 | fi 205 | done 206 | fi 207 | 208 | exit 0 209 | -------------------------------------------------------------------------------- /tools/generate-other-with-bespoke.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Copyright (c) 2021-2025, Tim Brown 3 | # Copyright (c) 2025, Cisco International Ltd 4 | # 5 | # Redistribution and use in source and binary forms, with or without 6 | # modification, are permitted provided that the following conditions are met: 7 | # * Redistributions of source code must retain the above copyright 8 | # notice, this list of conditions and the following disclaimer. 9 | # * Redistributions in binary form must reproduce the above copyright 10 | # notice, this list of conditions and the following disclaimer in the 11 | # documentation and/or other materials provided with the distribution. 12 | # * Neither the name of the Cisco International Ltd nor the 13 | # names of its contributors may be used to endorse or promote products 14 | # derived from this software without specific prior written permission. 15 | # 16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 17 | # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 | # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | # DISCLAIMED. IN NO EVENT SHALL CISCO INTERNATIONAL LTD BE LIABLE FOR ANY 20 | # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 | # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 23 | # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 25 | # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | 27 | rm lib/filters/enabled/all/other 28 | for filterfilename in lib/filters/enabled/all/* lib/filters/enabled/bespoke/* 29 | do 30 | printf -- "%s" "!($(cat "${filterfilename}")) and " 31 | done | sed "s/ and $//g" >lib/filters/enabled/all/other 32 | printf "don't forget to fix the quoting\n" 33 | -------------------------------------------------------------------------------- /tools/generate-other.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Copyright (c) 2021-2025, Tim Brown 3 | # Copyright (c) 2025, Cisco International Ltd 4 | # 5 | # Redistribution and use in source and binary forms, with or without 6 | # modification, are permitted provided that the following conditions are met: 7 | # * Redistributions of source code must retain the above copyright 8 | # notice, this list of conditions and the following disclaimer. 9 | # * Redistributions in binary form must reproduce the above copyright 10 | # notice, this list of conditions and the following disclaimer in the 11 | # documentation and/or other materials provided with the distribution. 12 | # * Neither the name of the Cisco International Ltd nor the 13 | # names of its contributors may be used to endorse or promote products 14 | # derived from this software without specific prior written permission. 15 | # 16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 17 | # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 | # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | # DISCLAIMED. IN NO EVENT SHALL CISCO INTERNATIONAL LTD BE LIABLE FOR ANY 20 | # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 | # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 23 | # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 25 | # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | 27 | rm lib/filters/enabled/all/other 28 | for filterfilename in lib/filters/enabled/all/* 29 | do 30 | printf -- "%s" "!($(cat "${filterfilename}")) and " 31 | done | sed "s/ and $//g" >lib/filters/enabled/all/other 32 | printf "don't forget to fix the quoting\n" 33 | --------------------------------------------------------------------------------