README
¶
gonetmon
A network activity monitor in Go.
The gonetmon package captures HTTP traffic and displays interesting statistics about the traffic.
Installing / Getting started
Notes
For now, gonetmon reliably works only on Linux. gopacket panics on MacOS and Windows support has not yet been integrated.
In order to be able to capture packets, you'll need the libpcap library. On your favorite Linux distribution, install it like so :
sudo apt-get install libpcap-dev
This will install libpcap-dev on your machine an allow you to capture packets / sniff traffic.
Let's suppose you have a working environment for Go. All that's left to do is getting the package :
go get github.com/bytemare/gonetmon
That just downloaded the project into your $GOPATH/src, and you're set.
'Alright, get me to it !'
Here you go :
cd $GOPATH/src/github.com/bytemare/gonetmon/Tests
go build sniffer.go
sudo ./sniffer
We need to run with elevated privileges, since the system wouldn't let us capture packets otherwise. This will clear your terminal and start showing things like the current http traffic, speed, top visited site, and even show some alerts if the traffic is high.
Not seeing anything ? That's maybe because there's no traffic, or because it's encrypted. Reminder : this only shows plaintext HTTP traffic. But don't worry, I got your back ! On the same machine, open another terminal :
cd Tests/RealTraffic/
go get
go run RealTraffic.go &> /dev/null
This is a webcrawler that will generate a lot of plaintext traffic for a minute or so, exactly what we need !
This is the kind of output that we'll have :
Note that the traffic spike triggered an alert. After some moments, when the storm is down, we'll have a message that we recovered from alert.
A handy little option for our sniffer here is that it can take a timeout (in seconds) as an argument, and will close itself after that timeout. Interesting if you want to dump your traffic for some time without being there.
sudo ./sniffer -timeout=200
In every case, you can gracefully shut down the monitoring by gently hitting CTRL+C on your keyboard.
Configuration
For now all configuration parameters have default values in the code. But it is fairly easy to change them in order to change the programs behaviour, just take a look a params.go.
Documentation
If you want to use specific functions, please read up on them in the documentation.
Todo
Like all engineering projects, there's always room to do better, and these are some of the next things I want to do :
Corrections
- Improve documentation and its layout
- When shutting down, the collector continues logging received packets' IP addresses. That must have something to do with messages still in the PacketSource channel. It would be better if this wouldn't happen.
- Proper 'init()' functions that takes profit of go's 'init()' interpretation
Features
- Ability to fully configure program behaviour with command line arguments and configuration file
- Richer logging
- Add more and better logs
- Make it work on MacOS
- Make it work on Windows
- during runtime, continually watch out for new devices being opened
- export results to different formats : json and/or html to display it in a browser ?
- TCP Stream reassembly : coherently reassemble packets and calculate connection quality based upon round-trips
- Ability to add more filters
Documentation
¶
Overview ¶
Package gonetmon is a HTTP traffic monitor, capturing packets on all open interfaces and presenting results to the console.
It uses gopacket to sniff traffic packets and, based on filters, allows to select allowed packets and analyse them further. gonetmon's main features are :
- a display giving the operator real-time insight about the traffic
- the number of total http packets received over a specified time frame
- current traffic speed
- network interfaces used by the traffic
- the most visited website over a specified time frame, sections visited, request methods and response codes
- alerting whenever the traffic hits a defined threshold, and when it recovered.
The project contains a ready-to-use monitor to start checking out traffic.
Index ¶
- func CLI(syn *synchronisation)
- func Collector(devices *devices, packetChan chan packetMsg, syn *synchronisation)
- func Display(reportChan <-chan *report, alertChan <-chan alertMsg, syn *synchronisation)
- func InitialiseCapture() (*devices, error)
- func LoadParams() *configuration
- func Monitor(packetChan <-chan packetMsg, reportChan chan<- *report, ...)
- func NewAnalysis() *analysis
- func NewReport(a *analysis, watchdogHits int, t time.Time) *report
- func NewSession(alertChan chan<- alertMsg, syn *synchronisation) *session
- func NewWatchdog(c chan<- alertMsg, syn *synchronisation) *watchdog
- func Sniff(testWait *sync.WaitGroup, result chan<- error) error
- func SnifferTest(duration time.Duration) error
- func WatchdogRoutine(dog *watchdog, syn *synchronisation)
- type MetaPacket
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CLI ¶
func CLI(syn *synchronisation)
CLI acts as a command interface that allows an operator to interact with the tool through CLI.
Implemented commands : - stop : through SIGINT or SIGTERM signals
func Collector ¶
func Collector(devices *devices, packetChan chan packetMsg, syn *synchronisation)
Collector listens on all network devices for relevant traffic and sends packets to packetChan Behaviour and filters can be given as argument with parameters
func Display ¶
func Display(reportChan <-chan *report, alertChan <-chan alertMsg, syn *synchronisation)
Display is in charge of rendering a report in to the format of the final output For now, only console output is supported
func InitialiseCapture ¶
func InitialiseCapture() (*devices, error)
InitialiseCapture opens device interfaces and associated handles to listen on, returns a map of these. If the interfaces parameter is not nil, only open those specified.
func LoadParams ¶
func LoadParams() *configuration
LoadParams loads the application's parameters it should run on into an object and returns it
func Monitor ¶
func Monitor(packetChan <-chan packetMsg, reportChan chan<- *report, alertChan chan<- alertMsg, syn *synchronisation)
Monitor is the link between packet capture, alerting, and display, that accumulates data, analyses it and builds report to display
func NewSession ¶
func NewSession(alertChan chan<- alertMsg, syn *synchronisation) *session
NewSession initialises a new monitoring session and launches a watchdog goroutine
func NewWatchdog ¶
func NewWatchdog(c chan<- alertMsg, syn *synchronisation) *watchdog
NewWatchdog returns a watchdog struct and launches a goroutine that will observe its cache to detect alert triggering
func Sniff ¶
Sniff holds examples of initialising a session and manage different routines to perform monitoring
func SnifferTest ¶
SnifferTest is a wrapper function for Sniffer use with a timeout
func WatchdogRoutine ¶
func WatchdogRoutine(dog *watchdog, syn *synchronisation)
WatchdogRoutine is an alert monitor that records a timestamp of each packet inside the current time frame. The watchdog raises an alert if the number of packets meet a given threshold, and informs if alert has recovered. It continuously verifies the cache and will inform about alert status
Types ¶
type MetaPacket ¶
type MetaPacket struct {
// contains filtered or unexported fields
}
MetaPacket is a wrapper around a captured packet with some additional information : /net/http Request or Response struct on which interface the packet was captured
func DataToHTTP ¶
func DataToHTTP(data *packetMsg) (*MetaPacket, error)
DataToHTTP transforms the raw payload into a MetaPacket struct. Returns nil wth an error if data does not contain a valid http payload
func NewMetaPacket ¶
func NewMetaPacket(data *packetMsg) *MetaPacket
NewMetaPacket returns a new struct initialised with values from the packetMsg
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
gonetmon is a network monitoring tool.
|
gonetmon is a network monitoring tool. |