Daemonlogger
Jump to navigation
Jump to search
DRAFT
This page is still a draft. Thank you for your understanding.
Description
What is daemonlogger
Daemonlogger is a packet logger and soft tap based on libpcap. It has two runtime modes:
- It sniffs packets and spools them straight to the disk and can daemonize itself for background packet logging.
- It sniffs packets and rewrites them to a second interface, essentially acting as a soft tap.
The tool has been written by Marty Roesch from Sourcefire Inc.
What differences with tcpdump?
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
Installation
Prerequisites
First install libdnet
$ cd /data/src/ $ wget http://transact.dl.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz $ tar xvzf libdnet-1.11.tar.gz $ cd libdnet-1.11/ $ ./configure $ make # make install
Daemonlogger
$ cd /data/src/ $ wget http://www.snort.org/users/roesch/code/daemonlogger-1.2.1.tar.gz $ tar xzvf daemonlogger-1.2.1.tar.gz $ cd daemonlogger-1.2.1/ $ ./configure $ make # make install
Synopsis
Usage
daemonlogger [-options] <bpf filter>
Options
- -c <count>
- Log <count> packets and exit
- -d
- Daemonize at startup
- -f <bpf file>
- Load BPF filter from <bpf file>
- -F
- Flush the pcap buffer for each packet
- -g <group name>
- Set group ID to <group name>
- -h
- Show this usage statement
- -i <intf>
- Grab packets from interface <intf>
- -l <path>
- Log to directory <path>
- -m <count>
- Generate <count> log files and quit
- -M <pct>
- In ringbuffer mode log data to <pct> of volume capacity
- -n <name>
- Set output filename prefix to <name>
- -o <outf>
- Disable logging, retransmit data from <intf> to <outf>
- -p <pidfile>
- Use <pidfile> for PID filename
- -P <pidpath>
- Use <pidpath> for PID directory
- -r
- Activate ringbuffer mode
- -R <pcap file>
- Read packets from <pcap file>
- -s <bytes>
- Rollover the log file every <bytes>
- -S <snaplen>
- Capture <snaplen> bytes per packet
- -t
- Rollover the log file on time intervals
- -u <user name>
- Set user ID to <user name>
- -v
- Show daemonlogger version
Examples
Example 1: Basic Sniffing with ring
This example shows how to sniff on eth1 with ring option active (which means you allocate a certain amount of disk space for your capture):
# /usr/local/bin/daemonlogger \ -i eth1 \ -l /tmp \ -m 5 \ -n testcap \ -r \ -s 1073741824\ -S 1515 [-] Interface set to eth1 [-] Logpath set to /tmp [-] Max files to write set to 5 [-] Log filename set to "testcap" [-] Pidfile configured to "daemonlogger.pid" [-] Pidpath configured to "/var/run" [-] Ringbuffer active [-] Rollover size set to 1073741824 bytes [-] Snaplen set to 1515 [-] Rollover time configured for 0 seconds [-] Pruning behavior set to oldest IN DIRECTORY -*> DaemonLogger <*- Version 1.2.1 By Martin Roesch (C) Copyright 2006-2007 Sourcefire Inc., All rights reserved Checking partition stats for log directory "/tmp/." sniffing on interface eth1 Logging packets to /tmp/testcap.1312899477