PCAP tool that aids in locating misconfigured network stacks.
The tool's function is to identify and capture Address Resolution Protocol (ARP) requests that are not intended for the local network.
- Live capture on specific interface (-i)
- Offline capture from file (-f)
- Network (-n) and netmask (-m) override
- Run capture for a duration (-d)
- Exit on single match (-1)
- MAC/OUI to organization look up using IEEE OUI data (-O) - libcsv
- Process all networks (-A) as a basic request monitor
- Process probes (-p) and announcements (-a)
- Quick list of intefaces with details (-L)
- JSON output (-j) - libjansson
- ISO 8601 timestamps both local (-t) and UTC (-u).
- Verbose mode (-v)
- libc6
- libpcap0.8
- libcsv3 - optional
- libjansson4 - optional
Download the latest release Debian package (.deb) and
install using dpkg or your favourite APT front-end.
set VER="0.2-1"
sudo dpkg -i nomadcap_${VER}_amd64.debInstall build essentials and PCAP library with headers.
sudo apt update
sudo apt install build-essential libpcap0.8 libpcap-devOptional. Compile with IEEE OUI support. Install libcsv for parsing.
sudo apt install libcsv3 libcsv-dev ieee-dataOptional. Compile with JSON support. Install libjansson for JSON output.
sudo apt install libjansson4 libjansson-devClone this repository and run make. Results are in the directory build/.
git clone https://github.com/rancorm/nomadcap.git
cd nomadcap
make
build/nomadcap -hGeneral tool and command line switch usage.
Run nomadcap -h to show help.
nomadcap -hnomadcap v0.2 [Mis-configured network stack identification tool]
Usage: nomadcap [-i INTF] [-n NETWORK -m NETMASK] [-f FILE.PCAP] [-d SECONDS] [-OjApa1tuLvV]
-i INTF Capture on specific interface
-n NETWORK Capture network (e.g. 192.0.2.0)
-m NETMASK Capture netmask (e.g. 255.255.255.0)
-f FILE.PCAP Offline capture using FILE.PCAP
-d SECONDS Duration of capture (default: 60, forever: 0)
-O MAC OUI to organization
-A All networks (ARP request monitor)
-p Process ARP probes
-a Process ARP announcements
-1 Exit after single match
-t ISO 8601 timestamps
-u Show timestamps in UTC
-L List available interfaces
-j JSON output
-v Verbose mode
-V Version
Run nomadcap under sudo, root, or group with permission to perform live capture.
sudo nomadcap -vCapture on interface wlo1 for network 192.168.2.0 with subnet mask 255.255.255.0.
In this example 10.0.70.5 is the misconfigured host looking for the default gateway 10.0.70.1.
Capture for the default duration of 60 seconds.
Looking for interface...
Found interface: wlo1
Flags: 0x00000001
Duration: 60 seconds
Listening on: wlo1
Local network: 192.168.2.0
Network mask: 255.255.255.0
Started at: 1982-06-26T08:50:09.885-0400
10.0.70.5 [dc:a6:32:e7:ec:72] is looking for 10.0.70.1
ARP announcement, ignoring...
10.0.70.5 [dc:a6:32:e7:ec:72] is looking for 10.0.70.1
10.0.70.5 [dc:a6:32:e7:ec:72] is looking for 10.0.70.1
^CInterrupt signal
10.0.70.5 [dc:a6:32:e7:ec:72] is looking for 10.0.70.1
Packets received: 5
Packets dropped: 0
Done
sudo nomadcap -Ov -1 -d 0Another example using single match (-1), OUI look up (-O), verbose mode (-v), and capture forever (-d 0) features.
Looking for interface...
Found interface: wlo1
Flags: 0x00000241
Loading OUI data from /usr/share/ieee-data/oui.csv...
Loaded 32,531 OUIs
Listening on: wlo1
Local network: 192.168.2.0
Network mask: 255.255.255.0
Started at: 2024-01-11T04:20:09.885-0400
Local traffic, ignoring...
Local traffic, ignoring...
Local traffic, ignoring...
Local traffic, ignoring...
Local traffic, ignoring...
10.0.70.252 [a4:2a:95:15:c9:10 - D-Link International] is looking for 10.0.70.1
Packets received: 10
Packets dropped: 0
Done
nomadcap -Ov -f nomad.pcapngRead from offline file (-f) nomad.pcapng in verbose mode (-v) with OUI look up (-O).
Note, the warning about using -f without -n, in this example capture came from same network as interface, otherwise we would have used -n and -m switch respectfully.
Also note, it's run with standard user privileges.
WARNING: Using -f (file) capture without -n (network) switch
Looking for interface...
Found interface: wlo1
Flags: 0x00000221
Loading OUI data from /usr/share/ieee-data/oui.csv...
Loaded 32,531 OUIs
Loading capture file: nomad.pcapng
Listening on: wlo1
Local network: 192.168.2.0
Network mask: 255.255.255.0
Started at: 2024-01-06T02:50:09.885-0400
10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1
10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1
10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1
10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1
10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1
10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1
10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1
10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1
Local traffic, ignoring...
10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1
10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1
10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1
10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1
10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1
Done
sudo nomadcap -Ov -j -1 -tCapture single match (-1) with organization details (-O) in verbose (-v) JSON mode (-j), with timestamps (-t). JSON mode prints a JSON object with capture details and results (if any).
{
"found_intf": "wlo1",
"flags": 1601,
"oui_file": "/usr/share/ieee-data/oui.csv",
"ouis": 32531,
"duration": 60,
"listening_on": "wlo1",
"localnet": "192.168.2.0",
"netmask": "255.255.255.0",
"results": [
{
"src_ip": "10.0.70.252",
"src_ha": "a4:2a:95:15:c9:10",
"tgt_ip": "10.0.70.1",
"ts": "2024-01-06T02:50:09.885-0400",
"org": "D-Link International"
}
],
"started_at": "2024-01-06T01:50:03.245-0400",
"stats": {
"pkts_recv": 4,
"pkts_drop": 0
},
"version": "0.2"
}%