Daemonlogger modified to use DAQ, primarily for listening on multiple interfaces plus other features I thought it should have. Sorry Marty.
DaemonLogger: Simple packet logging & soft tap daemon. Version 1.2.1
Copyright (C) 2006-2008 Sourcefire Inc. Author: Martin Roesch [email protected] 2016-12-15 tom currie [email protected]
- removed pcap stuff and added daq stuff 2010-03-04 tom currie [email protected]
- added toggle file option
This was originally a libpcap-based program, it now uses daq. It has two runtime modes:
-
It sniffs packets and spools them straight to the disk and can daemonize itself for background packet logging. By default the file rolls over when 1 GB of data is logged.
-
It sniffs packets and rewrites them to a second interface, essentially acting as a soft tap. It can also do this in daemon mode.
These two runtime modes are mutually exclusive, if the program is placed in tap mode (using the -o switch) then logging to disk is disabled.
License:
GPL v2. Make SURE you read the included COPYING file so that you understand how this file is licensed by Sourcefire, even though it's under the GPL v2 there are some clarifications that we have made regarding the licensing of this program.
Requirements:
- A recent version of libpcap.
- A recent version of libdnet.
- A recent version of libdaq.
Usage:
daemonlogger [switches] [bpf filter]
Switches:
-c <count> Capture <count> packets and exit.
-d Daemonize at startup.
-D <daq path> The location on disk where we will find daq_afpacket.so
-f <bpf file> Load BPF filter from <bpf file>.
-F Make disk output "packet-buffered". As each packet
is saved, it will be written to the output file rather
than being written only when the output buffer fills.
-g <group name> Set group ID to <group name>.
-h Print usage message.
-i <interface> Sniff packets from <interface>. Supports a colon separated
list of interfaces: "eno1:eno3"
-l <path> Specify a <path> to write the pcap logfiles into.
-m <count> Write <count> log files and exit. If using Ringbufer mode
then write <count> files and delete the oldest file in the
set when you exceed <count> log files written. The
program will not exit when in this mode.
-M <pct> Used in concert with the -r ringbuffer switch this option
will write log files to the disk until it is at <pct>
utilization and then roll over and delete the oldest log
file. For example, "-M 90" would write files to the disk
until it is 90% utilized and then roll over and delete the
oldest file in the logging directory. If the -s "size"
switch is not set then the default log file size is 2GB.
-n <name> Set output filename prefix to <name>. Default is
"daemonlogger.pcap".
-o <outf> Disable packet logging and write packets received on
<interface> on <outf>. Activates tap mode.
Example: daemonlogger -i en0 -o gre0
-p <pidfile> Set an explicit <pidfile> filename. Default is
daemonlogger.pid.
-P <pidpath> Set an explicit <pidpath> directory. Default is /var/run.
-r Activate ringbuffer mode.
-s <size> Rollover the log file if it reaches <size> bytes.
-S <snaplen> Set the number of bytes to grab per packet to <snaplen>.
-t <time> Rollover the log file on time intervals. Append an 'm' to
rollover on minute boundaries, 'h' to rollover on hour
boundaries and 'd' to rollover on day boundaries. If no
interval selector is used then the default rollover
interval is in seconds.
For example, "-t 60" rolls the log file over every 60
seconds and "-t 2h" rolls the log file over every two
hours at the top of the hour. In the case of
minute/hour/day-based rollovers, the will round to the
next highest hour. For example, if the program is told to
rollover every 2 hours and is started 38 minutes into the
current hour it will add 2 to the current hour and
rollover as scheduled at the top of the hour at <current
hour> + 2. If the program was started at 13:38 it would
roll over the logfile at 15:00.
-T <chroot> Chroot directory to <chroot>.
-u <user name> Set user ID to <user name>.
-v Show daemonlogger version.
-X Toggle between two files. One file will have the suffix "A"
the other will have the suffix "B". Partnered with the
"-m 3" will create a rolling history of all packets of the
previous 3-6 minutes. This controls disk consumption which
allows the output files to use " -l /dev/shm ", writing
packet files at the speed of memory.
-z Select log file pruning behavior. Omitting this switch
results in the default mode being used where the oldest log
file in the logging directory is pruned. Setting the -z
switch changes the behavior so that Daemonlogger will prune
the oldest file from its current instantiation and leave
files from older runs in the same logging directory alone.
BPF Filter: You can specify BPF filter commands after the command line switches just like in tcpdump or Snort.
This code is largely untested and probably completely shoddy. YMMV. Write me if you find bugs or want features!