hackern0v1c3
commented
4 years ago After doing some testing I do need to use the --net=host option for the broadcast packets to reach the monitored network. I still think a docker container is the simplest way to go, especially because of update deployment being so easy.
Should I package the project as a docker container or an application to be installed on a linux host? Docker has the advantage of being very easy to deploy and manage but the networking can be more limited and complicated. Installing directly on the host OS opens more networking options but also means a device must be dedicated to the application and installation / updating can be more difficult.
At this point I am leaning towards docker and just start with simple detection like LLMNR/NBNS spoofing. Going this route might mean I can never detect tools like mitm6 that use poisoning for mitm attacks unless I require the --net-host option.