TCP tee implementation (Linux, Mac OS X, Windows) - duplicate TCP packets

Run outside of the regular traffic flow, listen to the TCP packets and duplicate them to other sources with minimal impact. This means it needs no changes in the existing applications that run there. For example you run a process on port 1234 TCP. You can start the copying process teecp that monitors that TCP port and copies all the individual packets to another location.

It relies on the promiscuous mode ethernet sniffing mode which is also used by tools like WireShark, WinPcap, tcpdump, etc.

It is built around Google's gopacket library and written in GoLang.

By default the payload of the packet is forwarded (without the encapsulating layers). It is however possible to forward the entire packet payload without any filters.

The below will listen on interface lo0, filter traffic on port 1234, log all details (very verbose, turn off in production), and copy it's packet payloads (by default TCP & UDP) towards localhost port 8080.

./teecp --device=lo0 --bpf='port 1234' --verbose=true --output-tcp 'localhost:8080'

The --bpf flag can handle Berkeley Packet Filter syntax.

A handful of examples:

By default TCP connections are closed after forwarding a packet. It is possible to enable keep alive like this:

--output-tcp 'localhost:8080|keepalive'

The application relies upon libpcap (for compiling Windows binaries, download developer pack) and GoLang.

OS X via Homebrew

brew install libpcap

Ubuntu, Debian via APT

apt-get install -y libpcap-dev

Putting it all together

go vet . && go fmt . && go test -v . && go build . && ./teecp --device=lo0 --bpf='port 1234' --verbose=true --output-tcp "test.com:123"

• Route42
• open a PR and add YourCompany!

• GoReplay HTTP(S) https://github.com/buger/goreplay
• TCPCopy https://github.com/session-replay-tools/tcpcopy
• Duplicator https://github.com/agnoster/duplicator
• IPTables iptables -t mangle -A POSTROUTING -p tcp --dport 1234 -j TEE --gateway IP_HOST_B