feat: NullSec-TrafficMirror — Advanced Traffic Capture & Analysis

[bad-antics]

NullSec-TrafficMirror

Advanced transparent traffic capture and analysis payload for the Packet Squirrel. Operates in bridge mode for zero-visibility inline sniffing.

Features:

• Full PCAP Capture — Complete packet capture in bridge mode
• DNS Query Logging — All DNS lookups, deduplicated
• HTTP Request Logging — GET/POST/PUT/DELETE with URLs
• Credential Extraction — FTP, Telnet, SMTP, HTTP Basic Auth, POP3, IMAP
• Protocol Breakdown — Automatic protocol distribution analysis
• Top Talkers — Most active hosts by packet count
• Zero Visibility — Bridge mode means no network disruption

Configuration:

CAPTURE_TIME=300   # Duration in seconds
EXTRACT_CREDS=1    # Plaintext credential extraction
CAPTURE_DNS=1      # DNS query logging
CAPTURE_HTTP=1     # HTTP request logging

Output:

trafficmirror_<timestamp>/
├── analysis.txt       # Formatted analysis report
├── capture.pcap       # Full packet capture
├── dns_queries.txt    # Unique domains queried
├── http_requests.txt  # HTTP requests
├── credentials.txt    # Plaintext credentials
├── telnet_capture.txt # Telnet session data
└── smtp_capture.txt   # SMTP transactions

Excludes SSH management traffic (172.16.32.1:22) from capture. Compatible with Packet Squirrel MK1 and MK2.