Skip to content

Feature request: Add network dump and network analysis support #7

Description

@TillmanKoch

Feature request: Add network dump and network analysis support

Hi,

as part of our university research work on VMGrab, I would like to add a basic network dump and analysis feature.

The goal is to capture TCP/UDP traffic of a selected VM from the hypervisor side and analyze the resulting PCAP file.

Proposed commands

sudo vmgrab network-dump <vm-name> -o <output-dir>

Example:

sudo vmgrab network-dump test-vm -o /tmp/vmgrab-net --duration 30s

This should create a PCAP file containing the TCP/UDP traffic of the selected VM.

Second command:

vmgrab network-analyze <pcap-file>

Example:

vmgrab network-analyze /tmp/vmgrab-net/test-vm.pcap

Optional search:

vmgrab network-analyze /tmp/vmgrab-net/test-vm.pcap --search "VMGRAB_TEST_SECRET"

Basic behavior

  • Find the VM network interface on the hypervisor, for example vnetX.
  • Capture TCP/UDP packets from that interface.
  • Store the result as a .pcap file.
  • Analyze the PCAP file.
  • Show TCP/UDP flows with source IP, destination IP, source port, destination port, protocol, packet count and byte count.
  • For readable plaintext traffic, show the payload or extracted application data.
  • For HTTP traffic, show method, path, headers and body if available.
  • For DNS traffic, show queried domains.
  • For TLS traffic, show that the payload is encrypted and only metadata is visible.
  • Optionally search all readable payloads for a test string or pattern.

Example result

VMGrab Network Analysis
=======================

File: test-vm.pcap
Filter: tcp or udp

Flows found: 3

[1] TCP 192.168.122.104:51422 -> 10.0.0.5:8080
    Protocol: HTTP
    Packets: 12
    Bytes: 1.8 KB
    Payload: readable

    Request:
    POST /api/store HTTP/1.1
    Host: 10.0.0.5:8080
    Content-Type: application/json

    Body:
    {"secret":"VMGRAB_TEST_SECRET","type":"demo"}

    Search:
    [FOUND] VMGRAB_TEST_SECRET

[2] UDP 192.168.122.104:47391 -> 192.168.122.1:53
    Protocol: DNS
    Packets: 1
    Bytes: 74
    Payload: readable

    Query:
    api.example.test A

[3] TCP 192.168.122.104:51424 -> 10.0.0.5:443
    Protocol: TLS
    Packets: 24
    Bytes: 6.2 KB
    Payload: encrypted

    TLS:
    Version: TLS 1.3
    SNI: api.example.test

    Search:
    [NOT FOUND] VMGRAB_TEST_SECRET

Initial scope

For the first version, I would keep it simple:

  • TCP/UDP capture only.
  • PCAP output.
  • Flow overview with IPs and ports.
  • Basic plaintext payload extraction.
  • Basic HTTP request/response display if readable.
  • Basic DNS query display.
  • Optional search string.
  • Optional BPF filter, defaulting to tcp or udp.
  • No TLS bypass or decryption.

Motivation

This extends VMGrab from memory-only analysis to a network-visibility test.

It allows us to check what network data of a VM is visible from the hypervisor side, including IPs, ports, protocols and plaintext payloads. It also allows us to compare plaintext traffic with encrypted traffic such as TLS, where the payload should not be readable.

Safety note

This feature is intended only for authorized research and testing on VMs owned by the user or explicitly approved test environments.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions