packet-o-matic

About

packet-o-matic is a real time packet processor under the GPL license. It mainly does network forensics. It is able to dump, log multiple informations about various types of connections. It reads the packet from an input module, match the packet using rules and connection tracking information and then send it to a target module. For example, it can read an HTTP connection, output a log file in the same format than apache log files and also dump credential informations along with the payload of the request.
This has been tested on Linux/x86, Linux/x86_64, Linux/hppa, Linux/sparc, FreeBSD/x86, Solaris/sparc and OSX/ppc.

News

2011/05/26 : String storage in datastore_postgres changed from varchara to bytea.
2010/01/09 : Docsis 3 support added using multiple DVB-C cards

Main features

Below are a few examples of what packet-o-matic can do :

• Log IRC conversations in files
• Dump images transfered over HTTP into a folder and log the corresponding requests in a database
• Store a subset of the packets in a pcap file
• Sniff a DOCSIS 3 network and output all the packets to a virtual interface for use with other tools
• Save raw payload of specified connections based on IP/port or other into separate files for each connections
• Save all the VoIP calls going on an interface in separate files in real time
• Reinject packets destinated to a specific ip and port on another interface or save them in a file
• Lots of other stuff which would be too long to list here

Modules

Currently implemented modules :

• input modules : docsis, pcap
• match modules : 80211, docsis, ethernet, icmp, icmpv6, ipv4, ipv6, linux_cooked, ppi, prism, radiotap, rtp, tcp, udp, vlan
• conntrack modules : ipv4, ipv6, rtp, tcp, udp
• helper modules : docsis, ipv4, ipv6, tcp, rtp
• target modules : display, dump_payload, http, inject, irc, null, msn, pcap, pop, rtp tap, tcpkill
• datastore modules : mysql, sqlite, postgres

Sources

Source code is available via svn. You can download a live copy of the source repository by using the following command :

svn checkout https://svn.tuxicoman.be/svn/packet-o-matic/trunk packet-o-matic

Alternatively, you can browse the sources using WebSVN.

Contact

Feel free to contact me directly via email at gmsoft@tuxicoman.be or via the mailing list. Any comment, suggestion or feature request is highly appreciated.
You can aslo come on irc.libera.chat and join #packet-o-matic where I'll be hanging.