{"id":21343152,"url":"https://github.com/rancorm/nomadcap","last_synced_at":"2026-05-12T04:32:27.623Z","repository":{"id":209081087,"uuid":"718590329","full_name":"rancorm/nomadcap","owner":"rancorm","description":"Tool that helps find mis-configured network stacks by capturing and analyzing live or saved traffic. JSON output, exit on first match, and more.","archived":false,"fork":false,"pushed_at":"2024-03-25T00:59:23.000Z","size":81,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-22T15:45:51.391Z","etag":null,"topics":["arp","ethernet","host-configuration","infrastructure","internetworking","linux","macos","network","network-analysis","network-configuration","network-stack","networking","oui","pcap"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rancorm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-14T12:00:37.000Z","updated_at":"2024-07-16T20:44:20.000Z","dependencies_parsed_at":"2024-01-05T01:36:36.599Z","dependency_job_id":"4a6024b8-8342-4c45-b637-7f9378272bf2","html_url":"https://github.com/rancorm/nomadcap","commit_stats":null,"previous_names":["jcormir/nomadcap","rancorm/nomadcap"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rancorm%2Fnomadcap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rancorm%2Fnomadcap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rancorm%2Fnomadcap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rancorm%2Fnomadcap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rancorm","download_url":"https://codeload.github.com/rancorm/nomadcap/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243818199,"owners_count":20352629,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arp","ethernet","host-configuration","infrastructure","internetworking","linux","macos","network","network-analysis","network-configuration","network-stack","networking","oui","pcap"],"created_at":"2024-11-22T01:12:14.147Z","updated_at":"2026-05-12T04:32:27.614Z","avatar_url":"https://github.com/rancorm.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# nomadcap\n\n[PCAP](https://en.wikipedia.org/wiki/Pcap) tool that aids in locating misconfigured network stacks.\n\nThe tool's function is to identify [Address Resolution Protocol](https://en.wikipedia.org/wiki/Address_Resolution_Protocol) (ARP)\nrequests that are not intended for the local network.\n\n## Features\n\n- Live capture on specific interface (-i en0)\n- Offline capture from file (-f /path/to/capture.file)\n- Network (-n) and [netmask](https://en.wikipedia.org/wiki/Subnet) (-m) override\n- Monitor specific [VLANs](https://en.wikipedia.org/wiki/VLAN) (--vlan X,Y)\n- Capture for a duration (-d 60)\n- Execute script/program on detection (-x /path/to/script.sh)\n- Exit on single match (-1)\n- [MAC](https://en.wikipedia.org/wiki/MAC_address)/OUI to organization look up using IEEE [OUI](https://en.wikipedia.org/wiki/Organizationally_unique_identifier) data (-O) - *libcsv \u0026 ieee-data* \n- Process all networks (-A) as a basic request monitor\n- Process [probes](https://en.wikipedia.org/wiki/Address_Resolution_Protocol#ARP_probe) (-p) and [announcements](https://en.wikipedia.org/wiki/Address_Resolution_Protocol#ARP_announcements) (-a)\n- Quick list of interfaces with details (-L)\n- [JSON](https://en.wikipedia.org/wiki/JSON) output (-j) - *libjansson*\n- Syslog support (-s)\n- [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) timestamps both local (-t) and UTC (-u)\n- Verbose mode (-v)\n\n## Dependencies\n\n- libc6\n- libpcap0.8\n- libcsv3 \u0026 ieee-data - *optional*\n- libjansson4 - *optional*\n\n### Build Dependencies\n\nIf you are compiling from source you will need the following packages.\n\n- build-essential\n- libpcap-dev\n- libcsv-dev - *optional*\n- libjansson-dev - *optional*\n\n## Get Started\n\n### Debian\n\nDownload the [latest release](https://github.com/jcormir/nomadcap/releases/latest) Debian package (.deb) and\ninstall using `dpkg` or your favourite [APT](https://en.wikipedia.org/wiki/APT_(software)) front-end.\n\n```zsh\nVER=\"0.4-1\"\nsudo dpkg -i nomadcap_${VER}_amd64.deb\n```\n\n### Build\n\nInstall required build tools, libraries, and headers.\n\n```zsh\nsudo apt update\nsudo apt install build-essential libpcap0.8 libpcap-dev\n```\n\n*Optional*. Compile with IEEE OUI support. Install libcsv for parsing.\n\n```zsh\nsudo apt install libcsv3 libcsv-dev ieee-data\n```\n\n*Optional*. Compile with JSON support. Install libjansson for JSON output.\n\n```zsh\nsudo apt install libjansson4 libjansson-dev\n```\n\nClone this repository and run `make`. Results are in the directory `build/`.\n\n```zsh\ngit clone https://github.com/rancorm/nomadcap.git\ncd nomadcap\nmake\nbuild/nomadcap -h\n```\n\n## Usage\n\nGeneral tool and command line switch usage.\n\n### Help\n\nRun `nomadcap -h` to show help.\n\n```zsh\nnomadcap -h\n```\n\n#### Menu\n\n```text\nnomadcap v0.4 [Misconfigure network stack identification tool]\n\nUsage: nomadcap [-i INTF] [-n NETWORK -m NETMASK] [-f FILE.PCAP] [-d SECONDS] [-x PATH] [-Apa1stuLvV]\n\nOptions:\n  -i, --interface=INTF   Capture on specific interface\n  -n, --network=NETWORK  Capture network (e.g. 192.0.2.0)\n  -m, --mask=NETMASK     Capture netmask (e.g. 255.255.255.0)\n  --vlan X,Y,Z           Specific VLANs to monitor\n  -f, --file=FILE.PCAP   Offline capture using FILE.PCAP\n  -d, --duration=SECONDS Duration of capture (default: 60, forever: 0)\n  -A, --all              All networks (ARP request monitor)\n  -p, --probes           Process ARP probes\n  -a, --announce         Process ARP announcements\n  -1, --once             Exit after single match\n  -x, --exec=PATH        Execute on detection\n  -s, --syslog           Send to syslog\n  -t, --timestamp        ISO 8601 timestamps\n  -u, --utc              Show timestamps in UTC\n  -L, --list             List available interfaces\n  -v, --verbose          Verbose mode\n  -V, --version          Version\n```\n\n### Examples\n\nRun `nomadcap` under sudo, root, or group with permission to perform live capture.\n\n#### Example 1\n\n```zsh\nsudo nomadcap -v\n```\n\nCapture on found interface `wlo1` for network `192.168.2.0` with subnet mask `255.255.255.0`.\nIn this example `10.0.70.5` is the misconfigure host looking for the default gateway `10.0.70.1`.\n\nCapture for the default duration of 60 seconds.\n\n```text\nLooking for interface...\nFound interface: wlo1\nFlags: 0x00000001\nDuration: 60 seconds\nListening on: wlo1\nLocal network: 192.168.2.0\nNetwork mask: 255.255.255.0\nSyslog: 0\nStarted at: 1982-06-26T08:50:09.885-0400\n10.0.70.5 [dc:a6:32:e7:ec:72] is looking for 10.0.70.1\nARP announcement, ignoring...\n10.0.70.5 [dc:a6:32:e7:ec:72] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72] is looking for 10.0.70.1\n^CInterrupt signal\n10.0.70.5 [dc:a6:32:e7:ec:72] is looking for 10.0.70.1\n\nPackets received: 5\nPackets dropped: 0\nDone\n```\n\n#### Example 2\n\n```zsh\nsudo nomadcap -Ov -1 -d 0\n```\n\nAnother example using single match (-1), OUI look up (-O), verbose mode (-v), and\ncapture forever (-d 0) features.\n\n```text\nLooking for interface...\nFound interface: wlo1\nFlags: 0x00000241\nLoading OUI data from /usr/share/ieee-data/oui.csv...\nLoaded 32,531 OUIs\nListening on: wlo1\nLocal network: 192.168.2.0\nNetwork mask: 255.255.255.0\nSyslog: 0\nStarted at: 2024-01-11T04:20:09.885-0400\nLocal traffic, ignoring...\nLocal traffic, ignoring...\nLocal traffic, ignoring...\nLocal traffic, ignoring...\nLocal traffic, ignoring...\n10.0.70.252 [a4:2a:95:15:c9:10 - D-Link International] is looking for 10.0.70.1\n\nPackets received: 10\nPackets dropped: 0\nDone\n```\n\n#### Example 3\n\n```zsh\nnomadcap -Ov -f nomad.pcapng\n```\n\nRead from offline file (-f) `nomad.pcapng` in verbose mode (-v) with OUI look up (-O).\n\nNote, the warning about using -f without -n, in this example capture came from same network\nas interface, otherwise we would have used -n and -m switch respectfully.\n\nAlso note, it's run with standard user privileges.\n\n```text\nWARNING: Using -f (file) capture without -n (network) switch\nLooking for interface...\nFound interface: wlo1\nFlags: 0x00000221\nLoading OUI data from /usr/share/ieee-data/oui.csv...\nLoaded 32,531 OUIs\nLoading capture file: nomad.pcapng\nListening on: wlo1\nLocal network: 192.168.2.0\nNetwork mask: 255.255.255.0\nSyslog: 0\nStarted at: 2024-01-06T02:50:09.885-0400\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\nLocal traffic, ignoring...\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\nDone\n```\n#### Example 4\n\n```zsh\nsudo nomadcap -Ov -j -1 -t\n```\n\nCapture single match (-1) with organization details (-O), verbose mode (-v), JSON mode (-j), and\nwith timestamps (-t). JSON mode prints a JSON object with capture details and results.\n\n```text\n{\n  \"found_intf\": \"wlo1\",\n  \"flags\": 1601,\n  \"oui_file\": \"/usr/share/ieee-data/oui.csv\",\n  \"ouis\": 32531,\n  \"duration\": 60,\n  \"listening_on\": \"wlo1\",\n  \"localnet\": \"192.168.2.0\",\n  \"netmask\": \"255.255.255.0\",\n  \"results\": [\n    {\n      \"src_ip\": \"10.0.70.252\",\n      \"src_ha\": \"a4:2a:95:15:c9:10\",\n      \"tgt_ip\": \"10.0.70.1\",\n      \"ts\": \"2024-01-06T02:50:09.885-0400\",\n      \"org\": \"D-Link International\"\n    }\n  ],\n  \"started_at\": \"2024-01-06T01:50:03.245-0400\",\n  \"stats\": {\n    \"pkts_recv\": 4,\n    \"pkts_drop\": 0\n  },\n  \"version\": \"0.4\"\n}%\n```\n\n#### Example 5\n\n```zsh\nsudo nomadcap -i en0 -d 0 -v -x scripts/echo.sh\n```\n\nCapture forever (-d 0) in verbose mode (-v) on interface `en0` (-i). When there is a\ndetection, run the script or program passed to the argument `-x`, in our example\n`echo.sh` which just prints to stdout.\n\n```zsh\nFlags: 0x00000001\nBinary: scripts/echo.sh\nListening on: en0\nLocal network: 192.168.2.0\nNetwork mask: 255.255.255.0\nSyslog: 0\nStarted at: 2025-05-13T05:54:00.091-0300\nLocal traffic, ignoring...\nLocal traffic, ignoring...\n10.0.80.2 [30:23:03:8d:f5:e3] is looking for 10.0.80.1\nExecuting 'scripts/test.sh'...\nDetected host! src: 10.0.80.2 [30:23:03:8d:f5:e3], tgt: 10.0.80.1 [00:00:00:00:00:00]\n```\n\n## nomadcap6\n\n`nomadcap6` is the IPv6 companion to `nomadcap`. Instead of monitoring ARP, it captures\n[ICMPv6](https://en.wikipedia.org/wiki/ICMPv6) [Neighbor Discovery Protocol](https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol)\n(NDP) traffic — specifically Neighbor Solicitation (NS) and Neighbor Advertisement (NA) messages —\nto identify hosts soliciting addresses outside the local network prefix.\n\n### Key Differences from nomadcap\n\n- Network is specified as a single CIDR prefix (`-n fe80::/10`) instead of separate `-n` and `-m` flags\n- Monitors NDP (ICMPv6) rather than ARP\n- No `-p` (probes) or `-m` (netmask) options\n\n### Help\n\nRun `nomadcap6 -h` to show help.\n\n```zsh\nnomadcap6 -h\n```\n\n#### Menu\n\n```text\nnomadcap6 v0.4 [Misconfigured IPv6 network stack identification tool]\n\nUsage: nomadcap6 [-i INTF] [-n PREFIX/LENGTH] [--vlan X,Y,Z] [-f FILE.PCAP] [-d SECONDS] [-x PATH] [-OjA1tuLvV]\n\nOptions:\n  -i, --interface=INTF      Capture on specific interface\n  -n, --network=PREFIX/LEN  Capture network (e.g. fe80::/10)\n  --vlan X,Y,Z              Specific VLANs to monitor\n  -f, --file=FILE.PCAP      Offline capture using FILE.PCAP\n  -d, --duration=SECONDS    Duration of capture (default: 60, forever: 0)\n  -O, --oui                 MAC OUI to organization\n  -A, --all                 All networks\n  -1, --once                Exit after single match\n  -x, --exec=PATH           Execute on detection\n  -s, --syslog              Send to syslog\n  -t, --timestamp           ISO 8601 timestamps\n  -u, --utc                 Show timestamps in UTC\n  -L, --list                List available interfaces\n  -j, --json                JSON output\n  -v, --verbose             Verbose mode\n  -V, --version             Version\n```\n\n### Example\n\n```zsh\nsudo nomadcap6 -Ov -1 -d 0\n```\n\nSingle match (-1), OUI look up (-O), verbose mode (-v), capture forever (-d 0).\n\n```text\nLooking for interface...\nFound interface: wlo1\nFlags: 0x00000241\nLoading OUI data from /usr/share/ieee-data/oui.csv...\nLoaded 32,531 OUIs\nListening on: wlo1\nNetwork prefix: fe80::/64\nStarted at: 2025-05-13T05:54:00.091-0300\nLocal traffic, ignoring...\n2001:db8:1::5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 2001:db8:1::1\n\nPackets received: 8\nPackets dropped: 0\nDone\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Francorm%2Fnomadcap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Francorm%2Fnomadcap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Francorm%2Fnomadcap/lists"}