Repository files navigation

Deepfence PacketStreamer is a high-performance remote packet capture andcollection tool. It is used by Deepfence'sThreatStrykersecurity observability platform to gather network traffic on demand from cloudworkloads for forensic analysis.

Primary design goals:

• Stay light, capture and stream, no additional processing
• Portability, works acrossvirtual machines, Kubernetes and AWS Fargate. Linuxand Windows

PacketStreamersensors are started on the target servers. Sensors capturetraffic, apply filters, and then stream the traffic to a central reciever.Traffic streams may be compressed and/or encrypted using TLS.

The PacketStreamerreceiver accepts PacketStreamer streams from multipleremote sensors, and writes the packets to a localpcap capture file

PacketStreamer sensors collect raw network packets on remote hosts. It selects packetsto capture using a BPF filter, and forwards them to a central reciever processwhere they are written in pcap format. Sensors are very lightweight and imposelittle performance impact on the remote hosts. PacketStreamer sensors can berun on bare-metal servers, on Docker hosts, and on Kubernetes nodes.

The PacketStreamer receiver accepts network traffic from multiple sensors,collecting it into a single, centralpcap file. You can then process thepcap file or live feed the traffic to the tooling of your choice, such asZeek,WiresharkSuricata, or as a live stream for Machine Learning models.

PacketStreamer meets more general use cases than existing alternatives. Forexample , Use PacketStreamer if you need a lightweight, efficient method to collect rawnetwork data from multiple machines for central logging and analysis.

For full instructions, refer to thePacketStreamer Documentation.

You will need to install the golang toolchain andlibpcap-dev before building PacketStreamer.

# Pre-requisites (Ubuntu): sudo apt install golang-go libpcap-devgit clone https://github.com/deepfence/PacketStreamer.gitcd PacketStreamer/make

Run a PacketStreamer receiver, listening on port8081 and writing pcap output to/tmp/dump_file (seereceiver.yaml):

./packetstreamer receiver --config ./contrib/config/receiver.yaml

Run one or more PacketStreamer sensors on local and remote hosts. Edit theserver address insensor.yaml:

# run on the target hosts to capture and forward traffic# copy and edit the sample sensor-local.yaml file, and add the address of the receiver hostcp ./contrib/config/sensor-local.yaml ./contrib/config/sensor.yaml./packetstreamer sensor --config ./contrib/config/sensor.yaml

• DeepfenceThreatStryker usesPacketStreamer to capture traffic from production platforms for forensicsand anomaly detection.

Thank you for using PacketStreamer.

• Start with the documentation
• Got a question, need some help? Find the Deepfence team on Slack
• Got a feature request or found a bug? Raise an issue
• productsecurityat deepfencedot io: Found a security issue? Share it in confidence
• Find out more atdeepfence.io

For any security-related issues in the PacketStreamer project, contactproductsecurityat deepfencedot io.

Please file GitHub issues as needed, and join the Deepfence CommunitySlack channel.

The Deepfence PacketStreamer project (this repository) is offered under theApache2 license.

Contributions to Deepfence PacketStreamer project are similarly accepted under the Apache2 license, as perGitHub's inbound=outbound policy.