[Feature Request] Add the possibility to dump the connection to a PCAP

[NRGLine4Sec]

Hi @gustavo-iniguez-goya
Sometimes, there are some connections that are a little weird (opensource tool that make outside connection that they don't seem to need..) and it could be very useful to add an option in the advanced connection view to dump the connection.
I think that we can create a PCAP of the connection or launch a tshark dump in a new terminal.
I don't really know how we can implement this, but this functionality could definitely be useful.
Thanks again for this great tool and all of your work on it 👍

[NRGLine4Sec]

Maybe the method used by this project can help to achieve this : nsntrace/nsntrace: Perform network trace of a single process by using network namespaces.

[gustavo-iniguez-goya]

Interesting 👍 The problem is how to implement it.

The daemon may be installed on a remote computer, so we should either dump the connections to a file and then send the file to the GUI (aka, the server), or send the bytes of every packet to the GUI and save it to a file on the server side.

Technically it could be added just as another logger in the Statistics module (stats.onConnection)). Right now we only write events to a log file, but we could have a generic Logger package with subpackages like Syslog, Postgres, Elastic, etc... that would write connections to all the submodules configured.

[NRGLine4Sec]

It would be interesting to be able to capture TLS-encrypted traffic as well, maybe using the same method describe in this post : Debugging with eBPF Part 3: Tracing SSL/TLS connections | Pixie Labs Blog. An other tool that could be interesting too : tls-tracing-with-ebpf/c-cpp-version at main · bmiguel-teixeira/tls-tracing-with-ebpf.
Also, we maybe need an other implementation for TLS encryption in kernel space as produced by kTLS.
This would enable us to be able to detect malware abusing DoH like this one : ChamelGang and ChamelDoH: A DNS-over-HTTPS implant - Stairwell
I don't really know how this could be implemented or if it's actually possible in OpenSnitch, just sharing some ideas.

[gustavo-iniguez-goya]

There was some work on this regard here: https://github.com/evilsocket/opensnitch/tree/passive-tls-query
I've played a couple of times with it, but never managed to do something interesting.

Probably passively sniff tls traffic would be doable, as we do with dns queries.

Btw! latest release v1.6.0 doesn't match the version of the packages.

[NRGLine4Sec]

Oh great, I didn't know that there where some tests about this.

Don't worry, I had noticed that the version was not consistent for v1.6.0 packages. I'll just adapt my script a little bit, no problem. :)

[NRGLine4Sec]

Maybe this project can help to be able to capture TLS-encrypted traffic : fkie-cad/friTap: The goal of this project is to help researchers to analyze traffic encapsulated in SSL or TLS.
For more informations : friTap - Decrypting TLS on the fly :: lolcads tech blog