Real-time Packet Observation Tool (RPOT)
architecture
Startup
$ echo 'vm.max_map_count = 262144' | sudo tee -a /etc/sysctl.conf
$ sudo sysctl -p
$ cd rpot
$ docker-compose pull
Analysis pcap files
step 1 copy or mount pcap file directory
$ cp /path/to/pcap/*.pcap ./pcap/
step 2 cleanup
$ docker-compose down -v
$ docker-compose up manager
step 3 run docker
Protocol coverage
| Protocol | Decode Payload | ElasticSearch Output | Kibana Visualization |
|---|---|---|---|
| ARP | ○ | × | × |
| AYIYA | ○ | × | × |
| BackDoor | ○ | × | × |
| BitTorrent | ○ | × | × |
| DCE RPC | ○ | ○ | × |
| DHCP | ○ | ○ | ○ |
| DNP3 | ○ | ○ | × |
| DNS | ○ | ○ | ○ |
| File | ○ | ○ | ○ |
| Finger | ○ | × | × |
| FTP | ○ | ○ | × |
| Gnutella | ○ | × | × |
| GSSAPI | ○ | × | × |
| GTPv1 | ○ | × | × |
| HTTP | ○ | ○ | ○ |
| ICMP | ○ | ○ | ○ |
| Ident | ○ | × | × |
| IMAP | ○ | × | × |
| IRC | ○ | ○ | ○ |
| kerberos | ○ | ○ | × |
| Login | ○ | × | × |
| MIME | ○ | × | × |
| Modbus | ○ | ○ | × |
| MySQL | ○ | ○ | × |
| NCP | ○ | × | × |
| NetBios | ○ | ○ | ○ |
| NTLM | ○ | ○ | ○ |
| NTP | ○ | × | × |
| OpenFlow | ○ | ○ | ○ |
| POP3 | ○ | × | × |
| RADIUS | ○ | ○ | × |
| RDP | ○ | ○ | × |
| RFB | ○ | ○ | × |
| RPC | ○ | × | × |
| SIP | ○ | ○ | ○ |
| SMB | ○ | ○ | ○ |
| SMTP | ○ | ○ | ○ |
| SNMP | ○ | ○ | ○ |
| SOCKS | ○ | ○ | ○ |
| SSH | ○ | ○ | ○ |
| SSL | ○ | ○ | ○ |
| Syslog | ○ | ○ | × |
| TCP | ○ | ○ | ○ |
| Teredo | ○ | ○ | × |
| UDP | ○ | ○ | ○ |
| XMPP | ○ | × | × |
| ZIP | ○ | × | × |
Visualization
Access Kibana url (http://localhost:5601)
Click [Dashboard] -> [Open] -> [MAIN]
