Deepfence has launched new open source tool PacketStreamer that captures network traffic from multiple sources to reveal potential hacking behaviors.
PacketStreamer sensors collect raw network packets on remote hosts, apply filters, and forward them to a central receiver process where they are written in pcap format. Traffic streams can be compressed or encrypted using Transport Layer Security (TLS).
The company says the sensors impose little performance impact on the remote hosts, and that they can be run on bare-metal servers, on Docker hosts, and on Kubernetes nodes.
Users can then process the pcap file or live feed the traffic to tools such as Zeek, Wireshark, or Suricata, or as a live stream for machine learning models.
Use cases
Owen Garrett, head of community and products at Deepfence, says the main applications are likely to be checking which requests servers are processing for the purpose of debugging, forensics in the event of an incident, and threat hunting activities.
“System administrators may find it useful to debug running applications,” he tells The Daily Swig.
“Cybersecurity teams may find it useful to capture network traffic for post-incident forensics or to support threat hunting activities. Researchers may find it useful to capture real traffic for study.”
There’s also growing activity, he says, around using machine learning to understand network traffic.
“The goal is to accurately establish a baseline for ‘normal’ traffic, identify outliers and possible anomalies, and then correlate these anomalies to identify sequences of events that may indicate the presence of an adversary or the progress of an attack,” he says.
Deepfence’s ThreatStryker attack analysis and threat assessment platform uses this process to capture traffic from production platforms for forensics and anomaly detection.
The company claims that, to the best of its knowledge, there’s no other simple, lightweight, scalable method to capture and stream packets from virtualized environments such as K8s, VMs, or Fargate, across multiple clouds.
“The issue is that modern compute environments are quite different from legacy environments – they are cloud based, span large numbers of servers, and use virtualization technologies and container platforms,” says Garrett.
“PacketStreamer takes contemporary network capture and transforms it for modern, cloud-native environments.”
Garrett says that the company welcomes contributions, and that it’s had excellent feedback so far.
“We have many plans and requests for enhancements,” he says. “We’ll begin by documenting more use cases, including details on how to feed data from PacketStreamer into common datastores and analysis tools such as Redis, Apache Kafka, and Elasticsearch.”