Packet monster, or Packémon for short! (っ‘-’)╮=͟͟͞͞◒ ヽ( '-'ヽ)
packemon_dns_windows.mp4
TUI tool for generating packets of arbitrary input and monitoring packets on any network interfaces (default: eth0). The list of interfaces to be specified is output when packemon interfaces is run.
This tool works on Windows, macOS, and Linux.
This TUI tool is now available on macOS because of cluster2600 support. Thanks🎉!
I intend to develop it patiently🌴
The images of Packemon on REDME should be used as reference only, as they may look different from the actual Packemon.
Warning
This tool is implemented with protocol stacks from scratch and utilizes raw socket.
There may be many bugs. If you find a bug, I would be glad if you raise an issue or give me a pull request!
This TUI tool has two major functions: packet generation and packet monitoring.
| Generated DNS query and Recieved response |
Displayed DNS response detail | Filtered packets |
|---|---|---|
This image shows packemon running in Generator / Monitor mode.
DNS query packet generated by Generator on the left is shown in 56 line of the Monitor. DNS query response packet is shown as 57 line, and a more detailed view of it is shown in the middle image.
See here for detailed instructions.
Packemon's Monitor allows user to select each packet by pressing Enter key. Then, select any line and press Enter key to see the details of the desired packet. Pressing Esc key in the packet detail screen will return you to the original packet list screen.
The rightmost image shows how the packet list is filtered.
- You can specify network interface with
--interfaceflag. Default iseth0.
details
-
Ethernet
- IEEE802.1Q(VLAN tag)
-
ARP
-
IPv4
-
IPv6
-
ICMPv4
-
ICMPv6
-
TCP
-
UDP
-
TLSv1.2
-
Implementation using Go standard package (The following are valid fields;)
- IPv4:
Source IP Addr,Destination IP Addr - IPv6:
Source IP Addr,Destination IP Addr - TCP:
Source Port,Destination Port,Do TCP 3way handshake ?(Check required) - HTTP: All fields
- IPv4:
-
Experimental implementation (full scratch)
- This tool is not very useful because the number of cipher suites it supports is still small, but an environment where you can try it out can be found here.
- TCP 3way handshake ~ TLS handshake ~ TLS Application data (encrypted HTTP)
- Supported cipher suites include
TLS_RSA_WITH_AES_128_GCM_SHA256
- You can check the server for available cipher suites with the following command
nmap --script ssl-enum-ciphers -p 443 <server ip>
- This tool is not very useful because the number of cipher suites it supports is still small, but an environment where you can try it out can be found here.
-
-
TLSv1.3
-
Implementation using Go standard package (The following are valid fields;)
- IPv4:
Source IP Addr,Destination IP Addr - IPv6: (Not available... Coming soon!)
- TCP:
Source Port,Destination Port,Do TCP 3way handshake ?(Check required) - HTTP: All fields
- IPv4:
-
Experimental implementation (full scratch)
- This tool is not very useful because the number of cipher suites it supports is still small, but an environment where you can try it out can be found here.
- TCP 3way handshake ~ TLS handshake ~ TLS Application data (encrypted HTTP)
- Supported cipher suites include
TLS_CHACHA20_POLY1305_SHA256
- This tool is not very useful because the number of cipher suites it supports is still small, but an environment where you can try it out can be found here.
-
-
QUIC (Using github.com/quic-go/quic-go. The following are valid fields;)
- IPv4:
Source IP Addr,Destination IP Addr - IPv6:
Source IP Addr,Destination IP Addr - UDP:
Source Port,Destination Port(UDP selection required) - QUIC: All fields
- HTTP: All fields
- 🥳< HTTP/3!
- IPv4:
-
DNS (WIP)
-
HTTP (WIP)
-
xxxxx....
-
Routing Protocols
- IGP (Interior Gateway Protocol)
- OSPF (Open Shortest Path First)
- EIGRP (Enhanced Interior Gateway Routing Protocol)
- RIP (Routing Information Protocol)
- EGP (Exterior Gateway Protocol)
- BGP (Border Gateway Protocol)
- Currently there is only debug mode
- TCP 3way handshake ~ Open ~ Keepalive ~ Update ~ Notification
- Currently there is only debug mode
- BGP (Border Gateway Protocol)
- IGP (Interior Gateway Protocol)
Warning
While using Generator mode, TCP RST packets automatically sent out by the kernel are dropped. When this mode is stopped, the original state is restored. Probably😅. Incidentally, dropping RST packets is done by running the eBPF program. The background note incorporating the eBPF is the POST of X around here.
Tip
While in Generator mode, output of bpf_printk of eBPF program can be checked by executing the following command.
$ sudo mount -t debugfs none /sys/kernel/debug (only once)
$ sudo cat /sys/kernel/debug/tracing/trace_pipe
- You can specify network interface with
--interfaceflag. Default iseth0.
- You can filter the values for each item (e.g.
Dst,Proto,SrcIP...etc.) displayed in the listed packets.
details
- Ethernet
- IEEE802.1Q(VLAN tag)
- ARP
- IPv4 (WIP)
- IPv6 (WIP)
- ICMPv4 (WIP)
- ICMPv6
- TCP (WIP)
- UDP
- TLSv1.2 (WIP)
- TLSv1.3
- DNS (WIP)
- DNS query
- DNS query response
- xxxxx....
- HTTP (WIP)
- HTTP GET request
- HTTP GET response
- xxxxx....
- xxxxx....
- Routing Protocols
- IGP (Interior Gateway Protocol)
- OSPF (Open Shortest Path First)
- EIGRP (Enhanced Interior Gateway Routing Protocol)
- RIP (Routing Information Protocol)
- EGP (Exterior Gateway Protocol)
- BGP (Border Gateway Protocol)
- IGP (Interior Gateway Protocol)
Warning
If packet parsing fails, it is indicated by “Proto:ETHER” as shown in the following image.
If you want to check the details of the packet, you can select the line, save it to a pcapng file, and import it into Wireshark or other software🙏
Important
For Linux, require 'Dependencies' section of https://ebpf-go.dev/guides/getting-started/#ebpf-c-program
For Windows, require Npcap. Check the following
Support raw 802.11 traffic (and monitor mode) for wireless adaptersInstall Npcap in WinPcap API-compatible Mode
$ git clone git@github.com:ddddddO/packemon.git $ cd packemon (For Linux) $ cd tc_program/ && go generate && cd - (For Linux or macOS) $ go build -o packemon cmd/packemon/*.go $ ls | grep packemon $ mv packemon /usr/local/bin/ (For Windows) $ go build -o packemon.exe .\cmd\packemon\
Important
It might be that the generation of the executable file is failing. At that time, install it in another way!
For arm64, convert “amd64” to “arm64” in the following commands and execute them.
deb $ export PACKEMON_VERSION=X.X.X $ curl -o packemon.deb -L https://github.com/ddddddO/packemon/releases/download/v$PACKEMON_VERSION/packemon_$PACKEMON_VERSION-1_amd64.deb $ dpkg -i packemon.deb rpm $ export PACKEMON_VERSION=X.X.X $ (Ubuntu) yum install https://github.com/ddddddO/packemon/releases/download/v$PACKEMON_VERSION/packemon_$PACKEMON_VERSION-1_amd64.rpm or $ (Fedora) dnf install https://github.com/ddddddO/packemon/releases/download/v$PACKEMON_VERSION/packemon_$PACKEMON_VERSION-1_amd64.rpm apk $ export PACKEMON_VERSION=X.X.X $ curl -o packemon.apk -L https://github.com/ddddddO/packemon/releases/download/v$PACKEMON_VERSION/packemon_$PACKEMON_VERSION-1_amd64.apk $ apk add --allow-untrusted packemon.apk Homebrew $ brew install ddddddO/tap/packemon AUR https://aur.archlinux.org/packages?K=packemon
Confirmed executable in the following environments
- OS: Debian GNU/Linux 12 (bookworm) on WSL2
- Kernel: 5.15.167.4-microsoft-standard-WSL2
- Architecture: x86_64
- OS: Ubuntu 22.04.3 LTS on WSL2
- Kernel: 5.15.167.4-microsoft-standard-WSL2
- Architecture: x86_64
- OS: Fedora Linux 42 on WSL2
- Kernel: 5.15.167.4-microsoft-standard-WSL2
- Architecture: x86_64
- OS: Debian GNU/Linux 12 (bookworm) on Google Pixel 7a
- Kernel: 6.1.0-34-arm64
- Architecture: aarch64
- OS: macOS
- OS: Windows 11 Pro
- Confirm MAC address of default gateway (via PowerShell)
PS > $defaultGateway = (Get-NetRoute -DestinationPrefix "0.0.0.0/0" | Sort-Object -Property InterfaceMetric | Select-Object -First 1).NextHop PS > echo $defaultGateway 192.168.10.1 PS > Get-NetNeighbor -IPAddress $defaultGateway | Select-Object -ExpandProperty LinkLayerAddress
- Confirm MAC address of default gateway (via PowerShell)
cmd
- OS:
cat /etc/os-release- Kernel:
uname -r - Architecture:
uname -m
- Kernel:
For macOS, besides Homebrew, this is also easy.
Important
For Windows, require Npcap. Check the following
Support raw 802.11 traffic (and monitor mode) for wireless adaptersInstall Npcap in WinPcap API-compatible Mode
$ go install github.com/ddddddO/packemon/cmd/packemon@latest
$ packemon --help
NAME:
packemon - Packet monster (っ‘-’)╮=͟͟͞͞◒ ヽ( '-'ヽ) TUI tool for sending packets of arbitrary input and monitoring packets on any network interfaces (default: eth0). Windows/macOS/Linux
⌒丶、_ノ⌒丶、_ノ⌒丶、_ノ⌒丶、_ノ⌒丶、_ノ⌒丶、_ノ
○
о
。
,、-、_ __
,、-―、_,、'´  ̄ `ヽ,
/ ・ . l、
l, ヾニニつ `ヽ、
| `ヽ,
ノ ノ
/:::: /
/::::::: ..::l、
/::::::::::::::::::......:::::::. ............::::::::::`l,
l::::::::::::::::::::::::::::::::::::...... ....:::::::::::::::::::::::::::::`l,
ヽ,:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::ノ
 ̄ ̄``ヽ、_:::::::::::::::::::::::,、-―´ ̄`ヽ、,、-'
`ヽ―-―'´
USAGE:
packemon [global options] [command [command options]]
VERSION:
1.8.0 / revision cb61da2
COMMANDS:
monitor, m, mon Monitor mode. You can monitor packets received and sent on the specified interface. Default is 'eth0' interface.
generator, g, gen Generator mode. Arbitrary packets can be generated and sent.
interfaces, i, intfs Check the list of interfaces.
debugging, d, debug Debugging mode.
version, v Prints the version.
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--help, -h show help
--version, -v print the version
$$ sudo setcap cap_net_raw,cap_bpf,cap_sys_admin,cap_net_admin+ep /path/to/packemon
$ packemon generatoror
$ sudo packemon generator$ sudo setcap cap_net_raw+ep /path/to/packemon
$ packemon monitoror
$ sudo packemon monitorPackemon serves as an educational tool for understanding network protocols by allowing hands-on experimentation. You can generate custom packets at different OSI layers and observe their behavior, making it ideal for learning TCP/IP fundamentals.
The tool supports testing custom protocol implementations across multiple layers including Ethernet, ARP, IPv4/IPv6, ICMP, TCP/UDP, TLS, DNS, and HTTP. This makes it valuable for developers working on network protocol stacks or testing protocol compliance.
Packemon provides packet monitoring capabilities similar to Wireshark, allowing you to capture and analyze network traffic in real-time. You can filter packets, examine protocol details, and export captured data to pcapng format for further analysis.
The tool can be used for security research, including testing for vulnerabilities like DNS reflection attacks.
Packemon demonstrates how to build network tools from scratch, serving as a reference implementation for developers creating their own packet manipulation utilities.
process
-
setup
# Generator $ sudo packemon generator# Monitor $ sudo packemon monitor← Generator | Monitor →
-
Generator
-
Lα>Ethernet>Ether Type> IPv4 -
Lβ>IPv4>Protocol> UDP -
Lβ>IPv4>Destination IP Addr> 1.1.1.1- Enter the address of DNS resolver here. Above is the address of Cloudflare resolver.
-
Lγ>UDP>Destination Port> 53 -
Lγ>UDP>Automatically calculate length ?> (Check!) -
Lε>DNS>Queries Domain> go.dev- Enter here the domain for which you want to name resolution.
-
Lε>DNS> Click on Send!- At this time, DNS query is sent with the contents set so far.
-
-
Monitor
-
Find records where
Proto: DNS andDstIPorSrcIPis 1.1.1.1. Select each record to see the packet structure of the DNS query and the packet structure of the DNS response.-
List
-
DNS query (
DstIP: 1.1.1.1) -
DNS response (
SrcIP: 1.1.1.1)
-
-
This is a method for identifying which hosts (devices) are operational on a network.
details
| Description | How to do it in Pakemon (Generator) | |
|---|---|---|
| ARP Scan | On a local network, broadcast an ARP request to identify the host that responds. Verify the association between the IP address and MAC address. | Currently, Packemon does not support specifying IP address ranges for requests, so you have to specify each one individually... - Lα > Ethernet > Destination Mac Addr > 0xffffffffffff- Lα > Ethernet > Ether Type > ARP- Lβ > ARP > Hardware Type > 0x0001- Lβ > ARP > Protocol Type > 0x0800- Lβ > ARP > Hardware Size > 0x06- Lβ > ARP > Protocol Size > 0x04- Lβ > ARP > Operation Code > 0x0001- Lβ > ARP > Target Mac Addr > 0x000000000000- Lβ > ARP > Target IP Addr > (Target IP Addr)- Lβ > ARP > Click on Send! |
| Ping Sweep | Send ICMP echo requests to multiple IP addresses on the network to identify the hosts that return echo replies. This is a simple and widely used technique. | Currently, Packemon does not support specifying IP address ranges for requests, so you have to specify each one individually... - Lα > Ethernet > Ether Type > IPv4- Lβ > IPv4 > Protocol > ICMP- Lβ > IPv4 > Destination IP Addr > (Target IP Addr)- Lγ > ICMP > Type > 0x08- Lγ > ICMP > Click on Send! |
This is a method for identifying which ports are open (which services are running) on a network device. It is used by attackers to find vulnerable services and by administrators to verify security settings.
details
| Description | How to do it in Pakemon (Generator) | |
|---|---|---|
| TCP Connect Scan | This is the most basic scanning method, which verifies whether a port is open by performing a complete TCP three-way handshake (SYN -> SYN/ACK -> ACK). | - Lα > Ethernet > Ether Type > IPv4- Lβ > IPv4 > Protocol > TCP- Lβ > IPv4 > Destination IP Addr > (Target IP Addr)- Lγ > TCP > Do TCP 3way handshake ? > (Check!)- Lγ > TCP > Destination Port > (Target Port)- Lγ > TCP > Click on Send! |
| SYN Scan (Half-open Scan) | This technique checks port availability without completing the TCP handshake. It sends a SYN packet; if a SYN/ACK packet is returned, the port is deemed open. It then sends a RST packet to reset the connection. Because it leaves minimal traces in logs, it is also called a stealth scan. | When using Packemon on Linux, since it drops RST packets, I only wrote the procedure for sending Syn packets. - Lα > Ethernet > Ether Type > IPv4- Lβ > IPv4 > Protocol > TCP- Lβ > IPv4 > Destination IP Addr > (Target IP Addr)- Lγ > TCP > Do TCP 3way handshake ? > (No Check!)- Lγ > TCP > Flags > 0x02- Lγ > TCP > Destination Port > (Target Port)- Lγ > TCP > Click on Send! |
| UDP Scan | Because it uses the connectionless UDP protocol, it is well-suited for verifying whether a UDP port is open or closed. It sends a UDP packet and determines that the port is open if there is no ICMP Port Unreachable (Type 3, Code 3) response. | - Lα > Ethernet > Ether Type > IPv4- Lβ > IPv4 > Protocol > UDP- Lβ > IPv4 > Destination IP Addr > (Target IP Addr)- Lγ > UDP > Destination Port > (Target Port)- Lγ > UDP > Click on Send! |
This is a method for detecting known vulnerabilities (such as in operating systems, applications, or configuration errors).
details
| Description | How to do it in Pakemon (Generator) | |
|---|---|---|
| Automated Scanners | Using tools such as Nessus and OpenVAS, we perform automated scans based on known vulnerability databases. | - |
| Banner Grabbing | Connect to the port and retrieve the “banner” returned by the service (e.g., web server version information) to check for known vulnerabilities. | - |
details
| Description | How to do it in Pakemon (Generator) | |
|---|---|---|
| OS Fingerprinting | This technique identifies the target host's operating system by analyzing TCP/IP packet characteristics such as TTL values and window sizes. | - |
| Port Redirection | This scan verifies settings for forwarding packets to different ports or hosts. | - |
- Nmap
- Scapy
- google/gopacket / gopacket/gopacket (maintained)
- cloverstd/tcping
- akase244/synpack
-
- Packemon is using this TUI library.
-
- The way Go handles syscalls, packet checksum logic, etc. was helpful. Packemon was inspired by this book and began its development. This is a book in Japanese.
xxx
-
「Golangで作るソフトウェアルータ」
- その実装コード: https://github.com/sat0ken/go-curo
-
動作確認用コマンドの参考
-
WSL2のDebianで動作した。
-
任意の Ethernet ヘッダ / IPv4 ヘッダ / ARP / ICMP を楽に作れてフレームを送信できる
-
以下はtmuxで3分割した画面に各種ヘッダのフォーム画面を表示している。そして ICMP echo request を送信し、 echo reply が返ってきていることを Wireshark で確認した様子
-
フレームを受信して詳細表示(ARPとIPv4)
少し前のUI(`5062561` のコミット)
-
TUIライブラリとして https://github.com/rivo/tview を使わせてもらってる🙇
pi@raspberrypi:~ $ sudo go run main.go$ sudo tcpdump -U -i eth0 -w - | /mnt/c/Program\ Files/Wireshark/Wireshark.exe -k -i --
受信画面
$ sudo go run cmd/packemon/main.go monitor -
送信画面
$ sudo go run cmd/packemon/main.go generator -
単発フレーム送信コマンド(e.g. ARP request)
$ sudo go run cmd/packemon/main.go debugging --send --proto arp
# TLS v1.2 でリクエスト
$ curl -k -s -v --tls-max 1.2 https://192.168.10.112:10443
# TLS v1.3 でリクエスト
$ curl -k -s -v --tls-max 1.3 https://192.168.10.112:10443
# TLS v1.3 で cipher suites を指定してリクエスト(ただし、Client Hello の Cipher Suites のリストが、その指定のみになるわけではなく、一番上(最優先)にくるというもの(パケットキャプチャで確認))
$ curl -k -s -v --tls-max 1.3 --tls13-ciphers "TLS_CHACHA20_POLY1305_SHA256" https://192.168.10.112:10443$ arping -c 1 1.2.3.4
ARPING 1.2.3.4 from 172.23.242.78 eth0
Sent 1 probes (1 broadcast(s))
Received 0 response(s)$ nslookup -vc github.comどうするか
$ ip -6 route
$ ping -c 1 fe80::1$ sudo go run cmd/packemon/main.go debugging --send --proto tcp-3way-httpxxx
-
Ethernetフレームのみ作って送信(
77c9149でコミットしたファイルにて) -
ARPリクエストを作って送信(
390f266でコミットしたファイルにて。中身はめちゃくちゃと思うけど) -
ARPリクエストを受信してパース(
b6a025aでコミット)