Skip navigation

Author Archives: hrbrmstr

Don't look at me…I do what he does — just slower. #rstats avuncular • ?Resistance Fighter • Cook • Christian • [Master] Chef des Données de Sécurité @ @rapid7

Call To Action: State Department Power Grab

(Re-posted from 47 Watch).

The State Department, under the stewardship of Secretary Marco Rubio, has just dropped a bombshell determination that’s about as subtle as a foghorn in a library.

You can/should review the Federal Register notice before continuing. There is a markdown formatted version of this on the 47 Watch knot.

In a nutshell, they’ve decided that pretty much everything involving borders, immigration, and international trade should now be considered a “foreign affairs function.”

Why does this matter?

Well, it’s because this administrative magic trick exempts these activities from the Administrative Procedure Act — a law that ensures the government can’t just make sweeping changes without telling anyone. It’s like democracy’s version of “no take-backsies.”

Let’s break down just some of the potential consequences:

  1. The “Surprise Border Policy” Scenario: Imagine waking up to find out the rules for entering or leaving the country have changed overnight. It’s like showing up to a potluck and finding out it’s now a formal dinner party — and you’re the only one in flip-flops.

  2. The “Your Phone is Our Phone” Situation: Border agents could potentially get more power to access your devices. Hope you’re ready to share your entire camera roll with strangers in uniform (who will all be employees of a private company, soon)!

  3. The “Economic Whiplash” Effect: The government could slap trade restrictions on countries faster than you can say “global supply chain disruption.” It’s like playing economic Jenga, but with real people’s livelihoods.

This determination could lead to policies being implemented without public input or oversight. It’s like the government putting on noise-canceling headphones while making decisions that affect millions of lives.

So, what can we do?

Well, it’s time (again) to make some noise.

Write to your representatives, call your senators, and make your voice heard.

Let’s shine a light on this issue before we wake up in a country where border policy is decided by whether the angrily-tossed plate with condiments on it hits the wall ketchup-side up or down.

If you’re looking for something to riff from when contacting your representative, this is what I’m emailing, printing-and-mailing, and calling (on Monday) my reps with:

——

As a [what you do + where you reside], I strongly oppose the determination to classify all efforts related to border control, immigration, and cross-border transfers as “foreign affairs functions” under the Administrative Procedure Act (APA).

This determination poses significant risks to transparency, accountability, and the fundamental principles of democratic governance. By exempting these critical areas from APA requirements, we risk implementing far-reaching policies without proper public scrutiny or input. This is particularly concerning given the complex, nuanced nature of immigration and border security issues.

The broad scope of this determination, encompassing “people, goods, services, data, technology, and other items,” is alarmingly vague and could lead to overreach in areas such as digital privacy and trade. As someone deeply involved in data science and security, I foresee potential abuses in data collection and surveillance that could infringe on civil liberties and hinder technological innovation.

Furthermore, this determination may exceed executive authority and violate the separation of powers. The Constitution grants Congress, not the executive branch, the power to establish a “uniform Rule of Naturalization” (Article I, Section 8, Clause 4). This sweeping reclassification appears to usurp congressional authority over immigration law.

From a national security perspective, while rapid response capabilities are important, the lack of public input and oversight could lead to poorly conceived policies that actually harm our security interests. Hastily implemented changes could disrupt critical international relationships, intelligence sharing, and cooperative law enforcement efforts.

I urge you to reconsider this determination. Instead, focus on improving existing processes within the current legal framework, ensuring that changes to immigration and border policies remain subject to proper public scrutiny and democratic checks and balances.

Xitter Hit by Major Cyberattack

On March 10, 2025, Xitter experienced major service disruptions throughout the day. Users couldn’t access the platform on both mobile apps and the website. Here’s what happened and why it matters.

What Happened?

X suffered multiple waves of outages starting early Monday morning:

  • First wave: Around 6:00 AM Eastern Time, affecting about 20,000 users
  • Second wave: Around 10:00 AM ET, with over 40,000 users reporting problems
  • Third wave: Between 11:00 AM and noon, affecting nearly 30,000 users

People trying to use Xitter saw loading symbols, error messages saying “Something went wrong. Try reloading,” or couldn’t access the service at all.

Who Was Behind It?

A pro-Palestinian hacking group called Dark Storm Team claimed responsibility for the attack. They posted on their Telegram channel: “Twitter has been taken offline by Dark Storm Team,” along with screenshots showing connection failures from different global locations.

Dark Storm Team has been active since around 2023 and is known for targeting organizations in Israel, Europe, and the United States. According to security experts, the group specializes in DDoS attacks and has a pro-Palestinian orientation.

What Did Elon Musk Say?

Elon Musk, Xitter’s owner, acknowledged the attack several hours after it began: “There was (still is) a massive cyberattack against Xitter. We get attacked every day, but this was done with a lot of resources. Either a large, coordinated group and/or a country is involved.”

Later, in an interview with Fox Business, Musk made a controversial claim connecting the attack to Ukraine: “We’re not sure exactly what happened but there was a massive cyberattack to try and bring down the Xitter system with IP addresses originating in the Ukraine area.” He provided no evidence to support this claim.

What Was the Reaction?

Cybersecurity experts expressed significant skepticism about Musk’s Ukraine claim:

  • They pointed out that attack origin IP addresses can be easily masked or manipulated
  • Attackers routinely route activities through compromised systems in other countries

Ukrainian officials firmly denied any involvement. Oleksii Merezhko, chairman of Ukraine’s parliamentary Foreign Affairs Committee, stated that the Ukrainian government had “absolutely” no part in the alleged cyberattack on Xitter.

Ed Krassenstein, who claimed to have communicated with Dark Storm’s leader, contradicted Musk’s assertion. According to screenshots shared online, the group responded to the Ukraine claim by saying: “Elon Musk must provide evidence for his claim, and we will provide evidence for ours.” They allegedly threatened further attacks, warning “We can attack again. A stronger attack this time, not only on Xitter but Tesla and others.”

What Type of Attack Was It?

The incident was a distributed denial-of-service (DDoS) attack. These attacks work by:
– Overwhelming a platform’s servers with excessive traffic
– Causing slowdowns or complete outages by exhausting available resources
– Using compromised devices (forming a “botnet”) to send overwhelming amounts of data

Cybersecurity experts described this attack as “far beyond simple DoS attempts,” involving “full-scale DDoS assaults, combined with sophisticated botnet activity, credential stuffing, API abuse, and targeted application-layer attacks designed to cripple operations.”

How Did Xitter Respond?

Xitter implemented Cloudflare’s DDoS protection services to mitigate the impact. This defensive measure introduced captcha verification for suspicious IP addresses generating too many requests. By evening, the platform had largely recovered, though some users continued to experience intermittent issues.

I’m not surprised Cloudflare helps protect Nazis, but it’d be nice to live in a universe where they all crawled back under their rocks for good.

Cruel And Vindictive By Design

(This post originally published on 47 Watch)

Recent administrative changes at the Social Security Administration (SSA) reveal a concerning pattern of decisions that disproportionately impact vulnerable populations while being implemented in ways that limit public awareness and oversight. Two specific policy reversals highlight this trend: the reinstatement of 100% benefit withholding for overpayments and the termination of “Enumeration at Birth” contracts in several states.

The Overpayment Recovery Rate Reversal

On March 7, 2025, the SSA quietly announced it would revert to withholding 100% of monthly benefits from recipients with overpayments, effective March 27, 2025. This reverses a significant reform implemented just one year prior, in March 2024, when the agency reduced the default withholding rate from 100% to 10% of monthly benefits.

The 2024 reform had been implemented specifically to prevent vulnerable beneficiaries from facing homelessness or inability to pay for basic necessities when their entire benefit was withheld. As former Commissioner Martin O’Malley stated, the previous practice was “unconscionable” when it left people “facing homelessness or unable to pay bills, because Social Security withheld their entire payment for recovery of an overpayment.”

Data from the SSA showed the 2024 policy change had measurable positive impacts:

  • The number of people newly placed in full withholding plummeted from 6,771 in February to just 51 in September 2024
  • Approximately 200,000 beneficiaries were able to maintain 90% of their benefits during repayment
 

While beneficiaries can still appeal for hardship waivers to reduce the withholding rate, the appeals process now faces significant delays — reportedly up to 200 days due to staffing shortages at SSA offices. This administrative bottleneck creates a de facto policy of 100% withholding for extended periods, even for those who would qualify for reduced rates.

Acting Commissioner Lee Dudek has framed the reversal as fulfilling the agency’s “significant responsibility to be good stewards of the trust funds for the American people,” estimating the change would increase overpayment recoveries by approximately $7 billion over the next decade.

The Enumeration at Birth Contract Terminations

In a separate but similarly concerning move, the SSA terminated “Enumeration at Birth” contracts with several states, including Maine, in February 2025. These contracts, which had been operating efficiently since 1980, allowed parents to register newborns for Social Security numbers through a simple automated hospital process.

The termination means parents must now physically visit Social Security offices with their newborns and documentation to apply for numbers — a significant burden in rural states like Maine with sparse populations and limited SSA offices. After public backlash and pressure from congressional representatives, Acting Commissioner Dudek issued an apology and claimed he would “reinstate” the contracts.

However, as numerous administrative experts have pointed out, federal contracts cannot simply be “reinstated” after termination. The entire contracting process must start over, which is:

  1. More expensive than maintaining the original contracts
  2. Time-consuming, especially with reduced SSA staff
  3. Creates unnecessary burdens for new parents in the meantime
 

Notably, the contracts were terminated in six states, all of which have Democratic representatives in Congress, suggesting potential political targeting. Maine’s governer — Janet Mills — is also embroiled in a fight with Trump and his administration over rights of transgender citizens.

The terminations were supposedly conducted to save money (approximately $77,000 for a five-year contract base), but will likely result in higher administrative costs, less efficient service delivery, and more work for already-strained Social Security offices.

The Pattern of Administrative Weaponization

Both policy changes share several concerning characteristics:

  1. Quiet implementation: Both were announced with minimal publicity, with the overpayment policy change released late on a Friday, a classic tactic to minimize media coverage.

  2. Disproportionate impact on vulnerable populations: Both changes primarily affect those least equipped to navigate bureaucratic hurdles — elderly and disabled beneficiaries in the case of overpayments, and new parents in rural areas for the Enumeration at Birth terminations.

  3. Administrative roadblocks to relief: While both policies theoretically offer pathways for relief (appeals for overpayment withholding, visiting SSA offices for birth enumeration), administrative realities like extended processing times and limited office locations create de facto barriers.

  4. Questionable fiscal justifications: Both changes are justified as fiscal responsibility measures, yet both may ultimately cost more in administrative overhead and downstream social costs than they save.

  5. Appearance of political targeting: The pattern of states affected by the Enumeration at Birth terminations, along with reports of partisan “hotlines” to expedite certain cases, suggests potentially politically motivated implementation.

These administrative changes highlight how consequential policy shifts can occur not through legislative action but through bureaucratic decisions that receive little public attention or congressional oversight. As these policies take effect in the coming weeks, their impact on vulnerable Social Security beneficiaries and new parents will become increasingly apparent.

Senator Susan Collins’ Betrayal of Maine Demands Accountability

I sent this as an op-ed to the Portland Press Herald but have no delusion they will ACK it or post even a small part of it.

As a longtime Mainer and independent voter, I have watched Senator Susan Collins’ career with cautious optimism, hoping her self-branded image as a moderate willing to cross party lines might translate into principled leadership. Instead, the first six weeks of 2025 have crystallized a painful truth: Collins has become a hollow figurehead, enabling the most destructive elements of Donald Trump’s agenda while abandoning the Mainers she swore to represent. Her recent actions—from rubber-stamping unconstitutional power grabs to greenlighting devastating cuts to healthcare—demand either immediate course correction or resignation.

Collins’ vote to confirm Russell Vought as White House budget director epitomizes her moral bankruptcy. Vought, architect of the “Project 2025” blueprint to concentrate unchecked executive power, openly advocates allowing presidents to ignore congressionally approved spending—a direct threat to Collins’ own role as Senate Appropriations Chair. Her justification—“Presidents deserve broad discretion”—ignores that Vought’s ideology undermines the Constitution’s separation of powers. This is not moderation; it is complicity in authoritarian overreach.

Her tepid opposition to Trump’s FBI director nominee, Kash Patel, further exposes her impotence. While Collins criticized Patel’s “aggressive political activity”, her lone dissent failed to sway colleagues, allowing confirmation of a man who published an “enemies list” of federal employees. Maine deserved a leader who marshals bipartisan resistance to such extremism, not symbolic gestures devoid of consequence.

Collins’ support for the Senate GOP’s February 2025 budget framework reveals her allegiance to party over constituents. The bill slashes $300 billion from Medicaid—a lifeline for 400,000 Mainers, including rural hospitals already teetering on collapse. Her vote alongside Josh Hawley to reject amendments protecting Medicaid contradicts her 2024 boasts about healthcare funding. This hypocrisy will have dire consequences: Maine’s elderly, disabled, and low-income families face reduced coverage, while hospitals risk closure under reimbursement cuts.

Equally alarming is her silence as Trump’s administration weaponizes budget processes to dismantle agencies. Despite chairing Appropriations, Collins has done nothing to stop Elon Musk’s illegal shutdown of USAID offices in February 2025—a move that locked employees out of critical systems. When asked about Musk’s unconstitutional spending freezes, she offered only vague hopes for judicial intervention. Mainers deserve a fighter, not a bystander.

Collins’ failures are not newfound. Her 2020 defense of Trump’s catastrophic COVID-19 response—claiming he “did a lot right”—ignored his months of denial that left Maine vulnerable. Her 2022 vote to confirm Justice Brett Kavanaugh, despite his role in overturning Roe v. Wade, shattered trust with pro-choice Mainers. Now, as constituent letters flood newspapers pleading for accountability, Collins remains aloof, refusing town halls for over two decades.

Her 2025 appropriations role compounds these betrayals. While securing $5 million for wood heaters, she overlooks existential threats: the Kennebec River dredging project, critical for Navy destroyers, remains underfunded, jeopardizing Bath Iron Works jobs. Meanwhile, her committee advances Trump’s deportation raids and education cuts, policies anathema to Maine’s values.

Collins faces a choice: justify her actions with substance or step aside. If she believes slashing Medicaid strengthens Maine, let her hold a town hall in Biddeford and explain it to families relying on insulin coverage. If Musk’s USAID shutdowns align with constitutional duty, let her debate Angus King on live television. Absent such accountability, her continued presence in office insults Mainers’ intelligence.

The 2026 election looms, with forecasters already labeling her seat a toss-up. But Maine cannot wait. We need leaders who prioritize people over political survival, who confront power rather than coddling it. Susan Collins has forfeited that mantle. It is time for her to reclaim it—or make way for someone who will.

When Checks and Balances Fail: The State’s Role in Preserving Constitutional Order

Today, my Senator — Susan Collins — failed in her oath and duty to uphold the Constitution. She voted for the appointment of a traitor to head national intelligence, and is supporting someone for director of the Office of Management and Budget (OMB) who openly wants to dismantle the foundations of American government. She has done nothing to oppose the Administrative coup we’ve been witnessing since POTUS 47 took office. She is now, fully, a willing collaborator. The Executive branch is now nigh irreparably and wholly corrupted, and the Congress is — effectively — on a leash wielded by the POTUS.

The American system of government was designed with multiple layers of protection against the concentration and abuse of power. While we typically focus on federal checks and balances, states play a paramount role as independent sovereigns in our federal system, particularly when federal safeguards falter. Understanding these state powers is essential for maintaining constitutional governance.

The architects of American federalism deliberately created a system where states retain significant independent authority. This includes control over their law enforcement agencies, National Guard units, and the ability to refuse state resources for federal actions. Perhaps most importantly, states maintain the power to prosecute federal officials who act outside their legal authority and violate state laws. These powers weren’t accidents of history — they were deliberately preserved to prevent federal overreach.

Individual states become even more effective when they work together. Through formal interstate compacts and informal coordination, states can create powerful counterweights to federal overreach. This might involve sharing intelligence about illegal federal activities, coordinating legal responses, or pooling resources to resist unconstitutional actions. When multiple states stand together, their collective influence often exceeds the sum of their individual powers.

States control critical infrastructure and resources that federal authorities rely upon to function effectively. This gives states significant practical leverage through their ability to withhold cooperation on federal programs or impose economic consequences on entities that support illegal federal actions. While these powers should be used judiciously, they provide states with concrete tools to resist federal overreach.

Ultimately, the effectiveness of state resistance to federal overreach depends on democratic legitimacy and public support. State officials must be willing to uphold their constitutional oaths, local law enforcement must maintain order under state authority, and citizens must engage in civil resistance to support legitimate government. This democratic foundation is what transforms state powers from theoretical authorities into practical tools for preserving constitutional order.

It’s important to note that state resistance powers come with significant responsibilities. States must exercise these authorities carefully and only in response to genuine constitutional violations, not mere policy disagreements. The goal is to preserve constitutional order, not to create chaos or unnecessarily disrupt legitimate federal operations.

The distributed nature of American governance remains one of our strongest protections against tyranny. While a corrupt federal official might attempt to misuse power, success would require complicity from state and local institutions across the country. By understanding and preserving state powers to resist federal overreach, we maintain essential safeguards for constitutional governance.

The system of checks and balances becomes most critical precisely when it appears to be failing at the federal level. In these moments, state powers of resistance — exercised responsibly and with democratic support — provide crucial backup systems for preserving constitutional order. Understanding these powers helps ensure they remain available when needed most.

Unfortunately, the “Trump 25” states form a solid base of support across four geographic regions:

  • Southern states: North Carolina, South Carolina, Alabama, Mississippi, Louisiana, Arkansas, Oklahoma, Texas
  • Outer South/Industrial Midwest: Kentucky, Tennessee, West Virginia, Ohio, Indiana
  • Plains/Agricultural Midwest: North Dakota, South Dakota, Nebraska, Iowa, Missouri
  • Mountain states: Montana, Wyoming, Idaho, Utah
  • Plus Alaska
     

Several states are taking concrete actions to support federal initiatives:

  • Texas has signed agreements allowing National Guard to make immigration arrests
  • Indiana and Nebraska have directed law enforcement to cooperate with ICE
  • Tennessee approved measures creating state immigration enforcement positions
  • Florida, Texas, and Nevada governors indicated readiness to mobilize National Guard units
     

Republican-led states are advancing legislation to:

  • Expand cooperation with federal immigration enforcement
  • Support deportation efforts
  • Enable information sharing between state and federal agencies
  • Create new state-level enforcement mechanisms
     

This is just the beginning of their willing capitulation to a corrupt regime. It will only get worse.

I call on Maine’s Governor, Janet Mills, to work with the remaining states to do whatever it takes to uphold democratic principles and the rule of law. Without such a coalition, we will most certainly lose our Republic.

CVESky: Monitoring The Bluesky Jetstream For CVE Mentions

I mentioned this new app over at the newsletter but it deserves a mention on the legacy blog.

CVESky is a tool to explore CVE chatter on Bluesky. At work, we’re ingesting the Bluesky Jetstream and watching for CVE chatter, excluding daft bots that just regurgitate new NVD CVEs.

There are six cards for the current and past five days of chatter, with CVEs displayed in descending order of activity. Tapping on a CVE provides details, and the ability to explore the CVE on Bluesky, Feedly, CIRCL’s Vuln Lookup, and — if present in our data — GreyNoise.

At the bottom of the page is a 30-day heatmap of CVE chatter. Tap on any populated square to see all the Bluesky chatter for that CVE.

This is similar to, but slightly different to the most excellent CVE Crowd, which monitors the Mastodonverse for CVE chatter.

The code behind the site also maintains a Bluesky list containing all the folks who chatter about CVEs on Bluesky.

Comments? Questions? Bugs? Feature requests? Hit up research@greynoise.io.

Reading PCAP Files (Directly) With DuckDB

2024-08-30 UPDATE:
Binary versions of this extension are available for amd64 Linux (linux_amd64 & linux_amd64_gcc4) and Apple Silicon. (osx_arm64).

$ duckdb -unsigned
v1.0.0 1f98600c2c
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
D SET custom_extension_repository='https://w3c2.c20.e2-5.dev/ppcap/latest';
D INSTALL ppcap;
D LOAD ppcap;

2024-08-29 UPDATE: The Apple Silicon macOS and Linux AMD64 versions of the plugin now work with PCAP files that are “Raw IP” vs. just “Ethernet

We generate a ton of PCAP files at $DAYJOB. Since I do not always have to work directly with them, I regularly mix up or forget the various tshark, tcpdump, etc., filters and CLI parameters. While this is less of an issue in the age of LLM/GPTs (just ask local ollama to gen the CLI incantation, and it usually does a good job), each failed command makes me miss Apache Drill just a tad, since it had/has a decent, albeit basic, PCAP reading capability.

For the past few months, I’ve had an “I should build a DuckDB extension to read PCAP files” idea floating in the back of my mind. Thanks to lingering issues from long covid, I’m back in the “let’s wake him up at 0-dark-30 and not let him get back to sleep” routine, so I decided to try to scratch this itch (I was actually hoping super focused work would engender slumber, but that, too, was a big fail).

The DuckDB folks have a spiffy extension template that you can use/fork to get started. It’s been a minute since I’ve had to work in C++ land, and I’m also used to working with system-level, or vendored libraries when doing said work. So, first I had to figure out vcpkg — a C/C++ dependency manager from (ugh) Microsoft — as the DuckDB folks strongly encourage using it (and they use it). You likely do not have to get in the weeds, since there are three lines in the extension template that are (pretty much) all you really need to know/do.

Once that was done, I added libpcap to the DuckDB vcpkg deps. Then, a review of the structure of the example extension and the JSON, CSV, and Parquet reader extensions was in order to get a feel for how to add new functions, and return rectangular data from an entirely new file type.

To get started, I focused on some easy fields: source/destination IPs, timestamp, and payload length and had some oddly great success. So, of course, I had to start a Mastodon thread.

The brilliant minds at DuckDB truly made it pretty straightforward to work with list/array columns, and write new utility functions, so I just kept adding fields and functionality until time ran out (adulting is hard).

At present, the extension exposes the following fields from a PCAP file:

  • timestamp
  • source_ip
  • dest_ip
  • source_port
  • dest_port
  • length
  • tcp_session
  • source_mac
  • dest_mac
  • protocols
  • payload
  • tcp_flags
  • tcp_seq_num

It also has a read_pcap function that supports wildcards or an array of filenames. And, there are three utility functions, one that does a naive test for whether a payload is an HTTP request or response, another that extracts HTTP request headers (if present), and one more that extracts some info from ICMP packets.

Stop Telling Me And Show Me

Fine.

Here’s an incantation that naively converts all HTTP request and response packets to Parquet, since it will always be faster to use Parquet than it will be to use PCAPs:

duckdb -unsigned <<EOF
LOAD ppcap;

COPY (
  FROM 
    read_pcap('scans.pcap')
  SELECT
    *,
    is_http(payload) AS is_http,
    extract_http_request_headers(payload) AS req
) TO 'scans.parquet' (FORMAT PARQUET);
EOF

duckdb -json -s "FROM read_parquet('scans.parquet') WHERE is_http LIMIT 2" | jq
[
  {
    "timestamp": "2024-07-23 16:31:06",
    "source_ip": "94.156.71.207",
    "dest_ip": "203.161.44.208",
    "source_port": 49678,
    "dest_port": 80,
    "length": 154,
    "tcp_session": "94.156.71.207:49678-203.161.44.208:80",
    "source_mac": "64:64:9b:4f:37:00",
    "dest_mac": "00:16:3c:cb:72:42",
    "protocols": "[Ethernet, IP, TCP]",
    "payload": "GET /_profiler/phpinfo HTTP/1.1\\x0D\\x0AHost: 203.161.44.208\\x0D\\x0AUser-Agent: Web Downloader/6.9\\x0D\\x0AAccept-Charset: utf-8\\x0D\\x0AAccept-Encoding: gzip\\x0D\\x0AConnection: close\\x0D\\x0A\\x0D\\x0A",
    "tcp_flags": "[ACK, PSH]",
    "tcp_seq_num": "2072884123",
    "is_http": true,
    "req": "[{'key': Host, 'value': 203.161.44.208}, {'key': User-Agent, 'value': Web Downloader/6.9}, {'key': Accept-Charset, 'value': utf-8}, {'key': Accept-Encoding, 'value': gzip}, {'key': Connection, 'value': close}]"
  },
  {
    "timestamp": "2024-07-23 16:31:06",
    "source_ip": "203.161.44.208",
    "dest_ip": "94.156.71.207",
    "source_port": 80,
    "dest_port": 49678,
    "length": 456,
    "tcp_session": "203.161.44.208:80-94.156.71.207:49678",
    "source_mac": "00:16:3c:cb:72:42",
    "dest_mac": "64:64:9b:4f:37:00",
    "protocols": "[Ethernet, IP, TCP]",
    "payload": "HTTP/1.1 404 Not Found\\x0D\\x0ADate: Tue, 23 Jul 2024 16:31:06 GMT\\x0D\\x0AServer: Apache/2.4.52 (Ubuntu)\\x0D\\x0AContent-Length: 276\\x0D\\x0AConnection: close\\x0D\\x0AContent-Type: text/html; charset=iso-8859-1\\x0D\\x0A\\x0D\\x0A<!DOCTYPE HTML PUBLIC \\x22-//IETF//DTD HTML 2.0//EN\\x22>\\x0A<html><head>\\x0A<title>404 Not Found</title>\\x0A</head><body>\\x0A<h1>Not Found</h1>\\x0A<p>The requested URL was not found on this server.</p>\\x0A<hr>\\x0A<address>Apache/2.4.52 (Ubuntu) Server at 203.161.44.208 Port 80</address>\\x0A</body></html>\\x0A",
    "tcp_flags": "[ACK, PSH]",
    "tcp_seq_num": "2821588265",
    "is_http": true,
    "req": null
  }
]

The reason for ppcap is that I was too lazy to deal with some symbol name collisions (between the extension and libpcap) in a more fancy manner. I’ll eventually figure out how to make it just pcap. PRs welcome.

How Do I Get This?

Well, for now, it’s a bit more complex than an INSTALL ppcap. My extension is not ready for prime time, so it won’t be in the DuckDB community extensions for a while. Which means, you’ll need to install them manually, and also get used to using the -unsigned CLI flag (I’ve aliased that to duckdbu).

NOTE: you need to be running v1.0.0+ of DuckDB for this extension to work.

Here’s how to install it on macOS + Apple Silicon and test to see if it worked:

# where extensions live on macOS + Apple Silicon
mkdir -p ~/.duckdb/extensions/v1.0.0/osx_arm64

# grab and "install" the extension
curl --output ~/.duckdb/extensions/v1.0.0/osx_arm64/ppcap.duckdb_extension https://rud.is/dl/pcap/darwin-arm64/ppcap.duckdb_extension

# this should not output anyting if it worked
duckdb -unsigned -s "load ppcap"

Linux folks can sub out osx_arm64 and darwin-arm64 with linux_amd64 or linux_amd64_gcc4, depending on your system architecture, which you can find via duckdb -s "PRAGMA platform". linux_amd64_gcc4 is the architecture of the Linux amd64/x86_64 binary offered for download from DuckDB-proper.

Source is, sadly, on GitHub: https://github.com/hrbrmstr/duckdb-pcap.

100 Miles

Looks like I’m “back” 💪🏼.