A Passive Sniffer and Inventory Tool
As a network security professional, one of my biggest frustrations has been knowing what’s on my network. In addition to the normal laptops, desktops, and servers that should be there, people can add their own devices as soon as they have the wifi password or access to an ethernet port. I’d like to know what’s connected – both approved and non-approved devices – so we can identify systems that may need to be patched, hardened, or removed.
Agent-based software can’t completely perform this kind of inventory – we need to know what’s there before we can install an agent and may not have agents (or be able to install software at all) for many devices. The better approaches are active scans and passive detection.
Here’s where Passer steps in – it can give you an inventory of what’s on your network entirely passively.
- Identifies systems and services on a network
- Extracts multiple types of system names
- Identification of the application and operating system from service banners
- Automatically tracks some malicious activity
- Passive – no outbound traffic generated by default
- Runs on macOS and Linux
- Can analyze packet capture files and live network feeds
- No configuration is needed
- Multiprocessor support
- Simple output format designed for easy import into other systems
How To Run:
Passer is available as a docker image with all necessary support files preinstalled:
sudo docker pull quay.io/activecm/passer
That will install the current image – rerun this if you want to check for an updated image. Now run:
sudo docker run --rm -i --name=passer --net=host quay.io/activecm/passer
This will listen on all network interfaces. Within a few seconds, you should see records going to your screen describing systems on your network that broadcast their presence. If you start up a web browser and go to a system on the Internet, you should also see records for that DNS lookup and that connection.
To stop the sniffing, run:
docker kill passer
from another window on that system.
If running under docker isn’t appropriate, you can install from source. See https://github.com/activecm/passer/ , which has install instructions for both Debian-based and rpm-based Linux systems. That page also has the additional options to read packets from a pcap file or save the output lines to a CSV file.
Bill Stearns, the author of this page, is also Passer’s author. Many thanks to Active Countermeasures, Chris Brenton, Ethan Robish, and John Strand for their support of this project.