Skip to content

Latest commit

 

History

History
97 lines (71 loc) · 2.89 KB

README.md

File metadata and controls

97 lines (71 loc) · 2.89 KB

pj

Command-line application to convert network packets into JSON.

Installation

$ apt-get install -y libpcap-dev
...
$ go install github.com/picatz/pj@latest
...

Help Menu

$ pj -help
  -interface string
        network interface to listen on (default "<FIRST_NON_LOOPBACK>")
  -file string
        pcap file to read packets from
  -filter string
        apply bpf filter to capture or pcap file
  -list-devs
        list network interfaces
  -promiscuous
        capture in promiscuous mode

Usage

Start capturing packets on the default interface.

$ pj

Start capturing packets on the en0 interface.

$ pj -interface en0
...
{"eth":{"dst":"ff:ff:ff:ff:ff:ff","src":"00:0b:82:01:fc:42","type":2048},"ipv4":{"checksum":6026,"dst_ip":"255.255.255.255","flags":"","frag_offset":0,"id":43063,"ihl":5,"length":300,"options":[],"padding":null,"protocol":17,"src_ip":"0.0.0.0","tos":0,"ttl":250,"version":4},"metadata":{"device_addresses":"","device_description":"","device_name":"en0","length":314,"packet_number":3,"time":"1969-12-31T19:00:00-05:00","truncated":false},"udp":{"checksum":40893,"dst_port":67,"src_port":68}}
...

Read packets from test.pcapng file.

$ pj -file test.pcapng
{"eth":{"dst":"ff:ff:ff:ff:ff:ff","src":"00:0b:82:01:fc:42","type":2048},"ipv4":{"checksum":6027,"dst_ip":"255.255.255.255","flags":"","frag_offset":0,"id":43062,"ihl":5,"length":300,"options":[],"padding":null,"protocol":17,"src_ip":"0.0.0.0","tos":0,"ttl":250,"version":4},"metadata":{"device_addresses":"","device_description":"","device_name":"","length":314,"packet_number":1,"time":"1969-12-31T19:00:00-05:00","truncated":false},"udp":{"checksum":22815,"dst_port":67,"src_port":68}}
...

Capture packets on the default interface, filtered using jq to select packets that have a TCP layer.

$ pj | jq 'select(.tcp)'
...

Capture packets on the default interface, filtered using jq to select packets that do NOT have a TCP layer (like DNS using UDP).

$ pj | jq 'select(.tcp == null)'
...

Capture packets on the default interface, filtered using jq to select TCP packets with a destination port of 443 (HTTPS).

$ pj | jq 'select(.tcp.dst_port == 443)'

Capture packets on the default interface, filtered using jq to select TCP packets with a destination port or source port of 22 (SSH).

$ pj | jq 'select(.tcp.dst_port == 22 or .tcp.src_port == 22)'

Capture packets on the default interface, filtered using jq to select TCP RST packets.

$ pj | jq 'select(.tcp.rst)'

Capture packets on the default interface, filtered using jq to select TCP FIN packets.

$ pj | jq 'select(.tcp.fin)'

Capture packets on the default interface, filtered using jq to select TCP packet that contain an HTTP response.

$ pj | jq 'select(.tcp.payload | startswith("HTTP/1.1"))'