A/D Traffic Monitoring

OpenAttackDefenseTools/tulip

Tulip is a deep packet inspection (DPI) tool that allows inspecting disecting network traffic (especially TCP sessions) from a user-friendly web interface.

It allows quickly searching packet contents using regex queries, decoding it directly in the web interface, tagging traffic according to custom filters..

..as well as ingesting suricata logs for annotating flows with IPS metadata..

and analyzing packet volume and service response times.

One of its defining features is the Copy as Pwntools functionality, which generates a script that replicates the interactions of the selected TCP session.

arkime/arkime

Arkime (formerly moloch) is an ElasticSearch-based network analysis tool with support for DPI on large-scale data.

The web interface is not as responsive or easy to use as tulip's. For example, searching for data in packets involves starting a hunt, which requires clicking thorugh atleast three different ui elements and makes results available slower than other monitoring tools on similar queries.

The defining features of arkime is its familiar tech stack and the ability to mesh of multiple instance, which allows scaling to larger network loads than other tools. Usually this is not necessary though under typical A/D CTF loads.