Junkie the Network Sniffer

I always try to keep my blog independent of all commercial products. I don’t like “v€ndor$” trying to sell you the “most-powerful-solution-ever-seen-on-earth”. For me, information security must be based on a deep analyze of the problems, then chose the best solution to match the requirements (features, budgets, ease-of-use, etc). This time, I’ll make a small exception and mention a company but only for the following reason: some of their source code is released for free.

SecurActive is a French company which develops network and application monitoring solutions. In a few words, their solutions are powerful network sniffers which analyze the collected data to provide deep flows analysis regarding security and performance. As usual, there are lot of open source solutions installed under the cover. They like free software and decided to release a core component developed by them selve: “Junkie“.

What’s Junkie? This tool could be seen as the merge of Wireshark (t-shark) and tcpdump. Junkie captures the traffic from a designed interface but decodes the detected protocols on the flight. To have a better understanding, check out the following HTTP request:

Capture@0x96ca6bc: head_len=24, payload=74, dev_id=0, tv=1304362144s 810422us
Ethernet@0x96ca71c: head_len=14, payload=60, vlan_id=0, source=00:0c:29:f5:ed:fd, dest=00:23:08:3f:55:a2, proto=2048
IPv4@0x96d3a14: head_len=20, payload=40, version=4, addr=192.168.254.62->192.168.254.1 (hashed the other way), proto=17, ttl=64
UDP@0x96c74d4: head_len=8, payload=32, ports=50364->53
DNS@0x96c766c: head_len=32, payload=0, QUERY, tx_id=19437, err_code=0, request_type=AAAA, dns_class=IN, name=www.google.com

Capture@0x96ca6bc: head_len=24, payload=144, dev_id=0, tv=1304362144s 842322us
Ethernet@0x96ca71c: head_len=14, payload=130, vlan_id=0, source=00:23:08:3f:55:a2, dest=00:0c:29:f5:ed:fd, proto=2048
IPv4@0x96d3a14: head_len=20, payload=110, version=4, addr=192.168.254.1->192.168.254.62, proto=17, ttl=64
UDP@0x96c74d4: head_len=8, payload=102, ports=53->50364
DNS@0x96c766c: head_len=102, payload=0, ANSWER, tx_id=19437, err_code=0, request_type=AAAA, dns_class=IN, name=www.google.com

Capture@0x96ca6bc: head_len=24, payload=74, dev_id=0, tv=1304362144s 842868us
Ethernet@0x96ca71c: head_len=14, payload=60, vlan_id=0, source=00:0c:29:f5:ed:fd, dest=00:23:08:3f:55:a2, proto=2048
IPv4@0x96d3a14: head_len=20, payload=40, version=4, addr=192.168.254.62->192.168.254.1 (hashed the other way), proto=17, ttl=64
UDP@0x96c74d4: head_len=8, payload=32, ports=49208->53
DNS@0x96c766c: head_len=32, payload=0, QUERY, tx_id=42977, err_code=0, request_type=A, dns_class=IN, name=www.google.com

Capture@0x96ca6bc: head_len=24, payload=142, dev_id=0, tv=1304362144s 873071us
Ethernet@0x96ca71c: head_len=14, payload=128, vlan_id=0, source=00:23:08:3f:55:a2, dest=00:0c:29:f5:ed:fd, proto=2048
IPv4@0x96d3a14: head_len=20, payload=108, version=4, addr=192.168.254.1->192.168.254.62, proto=17, ttl=64
UDP@0x96c74d4: head_len=8, payload=100, ports=53->49208
DNS@0x96c766c: head_len=100, payload=0, ANSWER, tx_id=42977, err_code=0, request_type=A, dns_class=IN, name=www.google.com

Capture@0x96ca6bc: head_len=24, payload=178, dev_id=0, tv=1304362144s 915593us
Ethernet@0x96ca71c: head_len=14, payload=164, vlan_id=0, source=00:0c:29:f5:ed:fd, dest=00:23:08:3f:55:a2, proto=2048
IPv4@0x96d3a14: head_len=20, payload=144, version=4, addr=192.168.254.62->74.125.79.147 (hashed the other way), proto=6, ttl=64
TCP@0x96c7704: head_len=32, payload=112, ports=39549->80, flags=Ack, win=183, ack=1273586323, seq=1427884801
HTTP@0x96c789c: head_len=112, payload=0, method=GET, code=unset, content_length=unset, mime_type=unset, host=www.google.com, url=/

As you can see, each packet is decoded based on the OSI-layer model. At the highest layer, useful information is decoded like the request types, URL, FQDN, etc. At the moment, common protocols (including over IPv6) are handled: CIFS, DNS, FTP, HTTP, BitTorrent, Netbios, RTP, SIP, SSL. As the source code is provided, why not write your own parser? Another cool feature is the plugin architecture. Plugins can be developed to perform more action on the captured traffic. In the default source tree, a simple “dumper” plugin is provided (it displays the captured traffic as seen above). Junkie is an interesting tools which could be greatly enhanced by third-party developers.

The source code is available on github.com/securactive/junkie.