{"id":21343152,"url":"https://github.com/rancorm/nomadcap","last_synced_at":"2025-03-16T03:13:06.257Z","repository":{"id":209081087,"uuid":"718590329","full_name":"rancorm/nomadcap","owner":"rancorm","description":"Tool that helps find mis-configured network stacks by capturing and analyzing live or saved traffic. JSON output, exit on first match, and more.","archived":false,"fork":false,"pushed_at":"2024-03-25T00:59:23.000Z","size":81,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-22T15:45:51.391Z","etag":null,"topics":["arp","ethernet","host-configuration","infrastructure","internetworking","linux","macos","network","network-analysis","network-configuration","network-stack","networking","oui","pcap"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rancorm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-14T12:00:37.000Z","updated_at":"2024-07-16T20:44:20.000Z","dependencies_parsed_at":"2024-01-05T01:36:36.599Z","dependency_job_id":"4a6024b8-8342-4c45-b637-7f9378272bf2","html_url":"https://github.com/rancorm/nomadcap","commit_stats":null,"previous_names":["jcormir/nomadcap","rancorm/nomadcap"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rancorm%2Fnomadcap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rancorm%2Fnomadcap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rancorm%2Fnomadcap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rancorm%2Fnomadcap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rancorm","download_url":"https://codeload.github.com/rancorm/nomadcap/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243818199,"owners_count":20352629,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arp","ethernet","host-configuration","infrastructure","internetworking","linux","macos","network","network-analysis","network-configuration","network-stack","networking","oui","pcap"],"created_at":"2024-11-22T01:12:14.147Z","updated_at":"2025-03-16T03:13:06.236Z","avatar_url":"https://github.com/rancorm.png","language":"C","readme":"# nomadcap\n\n[PCAP](https://en.wikipedia.org/wiki/Pcap) tool that aids in locating misconfigured network stacks.\n\nThe tool's function is to identify and capture [Address Resolution Protocol](https://en.wikipedia.org/wiki/Address_Resolution_Protocol) (ARP)\nrequests that are not intended for the local network.\n\n## Features\n\n- Live capture on specific interface (-i)\n- Offline capture from file (-f)\n- Network (-n) and netmask (-m) override\n- Run capture for a duration (-d)\n- Exit on single match (-1)\n- MAC/OUI to organization look up using IEEE [OUI](https://en.wikipedia.org/wiki/Organizationally_unique_identifier) data (-O) - *libcsv*\n- Process all networks (-A) as a basic request monitor\n- Process probes (-p) and announcements (-a)\n- Quick list of intefaces with details (-L)\n- [JSON](https://en.wikipedia.org/wiki/JSON) output (-j) - *libjansson*\n- ISO 8601 timestamps both local (-t) and UTC (-u).\n- Verbose mode (-v)\n\n## Dependencies\n\n- libc6\n- libpcap0.8\n- libcsv3 - *optional*\n- libjansson4 - *optional*\n\n## Get Started\n\n### Debian\n\nDownload the [latest release](https://github.com/jcormir/nomadcap/releases/latest) Debian package (.deb) and\ninstall using `dpkg` or your favourite [APT](https://en.wikipedia.org/wiki/APT_(software)) front-end.\n\n```bash\nset VER=\"0.2-1\"\nsudo dpkg -i nomadcap_${VER}_amd64.deb\n```\n\n### Compile\n\nInstall build essentials and PCAP library with headers.\n\n```bash\nsudo apt update\nsudo apt install build-essential libpcap0.8 libpcap-dev\n```\n\n*Optional*. Compile with IEEE OUI support. Install libcsv for parsing.\n\n```bash\nsudo apt install libcsv3 libcsv-dev ieee-data\n```\n\n*Optional*. Compile with JSON support. Install libjansson for JSON output.\n\n```bash\nsudo apt install libjansson4 libjansson-dev\n```\n\nClone this repository and run `make`. Results are in the directory `build/`.\n\n```bash\ngit clone https://github.com/rancorm/nomadcap.git\ncd nomadcap\nmake\nbuild/nomadcap -h\n```\n\n## Usage\n\nGeneral tool and command line switch usage.\n\n### Help\n\nRun `nomadcap -h` to show help.\n\n```bash\nnomadcap -h\n```\n\n#### Menu\n\n```text\nnomadcap v0.2 [Mis-configured network stack identification tool]\n\nUsage: nomadcap [-i INTF] [-n NETWORK -m NETMASK] [-f FILE.PCAP] [-d SECONDS] [-OjApa1tuLvV]\n\n        -i INTF         Capture on specific interface\n        -n NETWORK      Capture network (e.g. 192.0.2.0)\n        -m NETMASK      Capture netmask (e.g. 255.255.255.0)\n        -f FILE.PCAP    Offline capture using FILE.PCAP\n        -d SECONDS      Duration of capture (default: 60, forever: 0)\n        -O              MAC OUI to organization\n        -A              All networks (ARP request monitor)\n        -p              Process ARP probes\n        -a              Process ARP announcements\n        -1              Exit after single match\n        -t              ISO 8601 timestamps\n        -u              Show timestamps in UTC\n        -L              List available interfaces\n        -j              JSON output\n        -v              Verbose mode\n        -V              Version\n```\n\n### Capture\n\nRun `nomadcap` under sudo, root, or group with permission to perform live capture.\n\n#### Example 1\n\n```bash\nsudo nomadcap -v\n```\n\nCapture on interface `wlo1` for network `192.168.2.0` with subnet mask `255.255.255.0`.\nIn this example `10.0.70.5` is the misconfigured host looking for the default gateway `10.0.70.1`.\n\nCapture for the default duration of 60 seconds.\n\n```text\nLooking for interface...\nFound interface: wlo1\nFlags: 0x00000001\nDuration: 60 seconds\nListening on: wlo1\nLocal network: 192.168.2.0\nNetwork mask: 255.255.255.0\nStarted at: 1982-06-26T08:50:09.885-0400\n10.0.70.5 [dc:a6:32:e7:ec:72] is looking for 10.0.70.1\nARP announcement, ignoring...\n10.0.70.5 [dc:a6:32:e7:ec:72] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72] is looking for 10.0.70.1\n^CInterrupt signal\n10.0.70.5 [dc:a6:32:e7:ec:72] is looking for 10.0.70.1\n\nPackets received: 5\nPackets dropped: 0\nDone\n```\n\n#### Example 2\n\n```bash\nsudo nomadcap -Ov -1 -d 0\n```\n\nAnother example using single match (-1), OUI look up (-O), verbose mode (-v), and\ncapture forever (-d 0) features.\n\n```text\nLooking for interface...\nFound interface: wlo1\nFlags: 0x00000241\nLoading OUI data from /usr/share/ieee-data/oui.csv...\nLoaded 32,531 OUIs\nListening on: wlo1\nLocal network: 192.168.2.0\nNetwork mask: 255.255.255.0\nStarted at: 2024-01-11T04:20:09.885-0400\nLocal traffic, ignoring...\nLocal traffic, ignoring...\nLocal traffic, ignoring...\nLocal traffic, ignoring...\nLocal traffic, ignoring...\n10.0.70.252 [a4:2a:95:15:c9:10 - D-Link International] is looking for 10.0.70.1\n\nPackets received: 10\nPackets dropped: 0\nDone\n```\n\n#### Example 3\n\n```bash\nnomadcap -Ov -f nomad.pcapng\n```\n\nRead from offline file (-f) `nomad.pcapng` in verbose mode (-v) with OUI look up (-O).\n\nNote, the warning about using -f without -n, in this example capture came from same network\nas interface, otherwise we would have used -n and -m switch respectfully.\n\nAlso note, it's run with standard user privileges.\n\n```text\nWARNING: Using -f (file) capture without -n (network) switch\nLooking for interface...\nFound interface: wlo1\nFlags: 0x00000221\nLoading OUI data from /usr/share/ieee-data/oui.csv...\nLoaded 32,531 OUIs\nLoading capture file: nomad.pcapng\nListening on: wlo1\nLocal network: 192.168.2.0\nNetwork mask: 255.255.255.0\nStarted at: 2024-01-06T02:50:09.885-0400\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\nLocal traffic, ignoring...\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\n10.0.70.5 [dc:a6:32:e7:ec:72 - Raspberry Pi Trading Ltd] is looking for 10.0.70.1\nDone\n```\n#### Example 4\n\n```bash\nsudo nomadcap -Ov -j -1 -t\n```\n\nCapture single match (-1) with organization details (-O) in verbose (-v) JSON mode (-j), with\ntimestamps (-t). JSON mode prints a JSON object with capture details and results (if any).\n\n```text\n{\n  \"found_intf\": \"wlo1\",\n  \"flags\": 1601,\n  \"oui_file\": \"/usr/share/ieee-data/oui.csv\",\n  \"ouis\": 32531,\n  \"duration\": 60,\n  \"listening_on\": \"wlo1\",\n  \"localnet\": \"192.168.2.0\",\n  \"netmask\": \"255.255.255.0\",\n  \"results\": [\n    {\n      \"src_ip\": \"10.0.70.252\",\n      \"src_ha\": \"a4:2a:95:15:c9:10\",\n      \"tgt_ip\": \"10.0.70.1\",\n      \"ts\": \"2024-01-06T02:50:09.885-0400\",\n      \"org\": \"D-Link International\"\n    }\n  ],\n  \"started_at\": \"2024-01-06T01:50:03.245-0400\",\n  \"stats\": {\n    \"pkts_recv\": 4,\n    \"pkts_drop\": 0\n  },\n  \"version\": \"0.2\"\n}%\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Francorm%2Fnomadcap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Francorm%2Fnomadcap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Francorm%2Fnomadcap/lists"}