Feature request: Add network dump and network analysis support
Hi,
as part of our university research work on VMGrab, I would like to add a basic network dump and analysis feature.
The goal is to capture TCP/UDP traffic of a selected VM from the hypervisor side and analyze the resulting PCAP file.
Proposed commands
sudo vmgrab network-dump <vm-name> -o <output-dir>
Example:
sudo vmgrab network-dump test-vm -o /tmp/vmgrab-net --duration 30s
This should create a PCAP file containing the TCP/UDP traffic of the selected VM.
Second command:
vmgrab network-analyze <pcap-file>
Example:
vmgrab network-analyze /tmp/vmgrab-net/test-vm.pcap
Optional search:
vmgrab network-analyze /tmp/vmgrab-net/test-vm.pcap --search "VMGRAB_TEST_SECRET"
Basic behavior
- Find the VM network interface on the hypervisor, for example
vnetX.
- Capture TCP/UDP packets from that interface.
- Store the result as a
.pcap file.
- Analyze the PCAP file.
- Show TCP/UDP flows with source IP, destination IP, source port, destination port, protocol, packet count and byte count.
- For readable plaintext traffic, show the payload or extracted application data.
- For HTTP traffic, show method, path, headers and body if available.
- For DNS traffic, show queried domains.
- For TLS traffic, show that the payload is encrypted and only metadata is visible.
- Optionally search all readable payloads for a test string or pattern.
Example result
VMGrab Network Analysis
=======================
File: test-vm.pcap
Filter: tcp or udp
Flows found: 3
[1] TCP 192.168.122.104:51422 -> 10.0.0.5:8080
Protocol: HTTP
Packets: 12
Bytes: 1.8 KB
Payload: readable
Request:
POST /api/store HTTP/1.1
Host: 10.0.0.5:8080
Content-Type: application/json
Body:
{"secret":"VMGRAB_TEST_SECRET","type":"demo"}
Search:
[FOUND] VMGRAB_TEST_SECRET
[2] UDP 192.168.122.104:47391 -> 192.168.122.1:53
Protocol: DNS
Packets: 1
Bytes: 74
Payload: readable
Query:
api.example.test A
[3] TCP 192.168.122.104:51424 -> 10.0.0.5:443
Protocol: TLS
Packets: 24
Bytes: 6.2 KB
Payload: encrypted
TLS:
Version: TLS 1.3
SNI: api.example.test
Search:
[NOT FOUND] VMGRAB_TEST_SECRET
Initial scope
For the first version, I would keep it simple:
- TCP/UDP capture only.
- PCAP output.
- Flow overview with IPs and ports.
- Basic plaintext payload extraction.
- Basic HTTP request/response display if readable.
- Basic DNS query display.
- Optional search string.
- Optional BPF filter, defaulting to
tcp or udp.
- No TLS bypass or decryption.
Motivation
This extends VMGrab from memory-only analysis to a network-visibility test.
It allows us to check what network data of a VM is visible from the hypervisor side, including IPs, ports, protocols and plaintext payloads. It also allows us to compare plaintext traffic with encrypted traffic such as TLS, where the payload should not be readable.
Safety note
This feature is intended only for authorized research and testing on VMs owned by the user or explicitly approved test environments.
Feature request: Add network dump and network analysis support
Hi,
as part of our university research work on VMGrab, I would like to add a basic network dump and analysis feature.
The goal is to capture TCP/UDP traffic of a selected VM from the hypervisor side and analyze the resulting PCAP file.
Proposed commands
Example:
This should create a PCAP file containing the TCP/UDP traffic of the selected VM.
Second command:
Example:
Optional search:
vmgrab network-analyze /tmp/vmgrab-net/test-vm.pcap --search "VMGRAB_TEST_SECRET"Basic behavior
vnetX..pcapfile.Example result
Initial scope
For the first version, I would keep it simple:
tcp or udp.Motivation
This extends VMGrab from memory-only analysis to a network-visibility test.
It allows us to check what network data of a VM is visible from the hypervisor side, including IPs, ports, protocols and plaintext payloads. It also allows us to compare plaintext traffic with encrypted traffic such as TLS, where the payload should not be readable.
Safety note
This feature is intended only for authorized research and testing on VMs owned by the user or explicitly approved test environments.