A/D Traffic Monitoring

OpenAttackDefenseTools/tulip

Tulip is a deep packet inspection (DPI) tool that allows inspecting disecting network traffic (TCP in particular) from a user-friendly web interface.

It allows quickly searching packet contents using regex queries, decoding it directly in the web interface, tagging traffic according to custom filters..

..as well as ingesting suricata logs for annotating flows with IPS metadata..

..and analyzing packet volume and service response times.

One of its defining features is the Copy as Pwntools functionality, which generates a script that replicates the interactions of the selected TCP session.

arkime/arkime

Arkime (formerly moloch) is an ElasticSearch-based network analysis tool with support for DPI on large-scale data.

The web interface is not as responsive or easy to use as tulip's. For example, searching for data in packets involves starting a hunt, which requires clicking thorugh atleast three different ui elements and makes results available slower than other monitoring tools on similar queries.

The defining features of arkime is its familiar tech stack and the ability to mesh of multiple instance, which allows scaling to larger network loads than other tools. Usually this is not necessary though under typical A/D CTF loads.

fox-it/pcap-broker

When playing on organizer-provided vulnboxes, which are often not provisioned to run much else besides the services, it can make sense to send traffic to an external VPS for processing instead. Pcap-broker helps with this by turning a tcpdump into a pub/sub server, which processing services can connect to via TCP.

Under the hood, pcap-broker writes a valid PCAP header into each client connection and then dumps the real-time traffic into it. This way the overhead to regular tcpdump is effectively zero.

To reduce the number of connections to the vulnbox, you can also chain pcap-broker instances.

Both tulip and arkime have support for PCAP_OVER_IP.