Daemonlogger in Ring Buffer Mode

You may have seen Daemonlogger appear at Snort.org. You may also have read Geek00l's description of some of its capabilities. I'd like to talk about Daemonlogger briefly, and show you a few new capabilities added in the upcoming 0.9 release.

Daemonlogger is similar to Dumpcap shipped with Wireshark. However, Daemonlogger is a stand-alone tool and it can act as a "soft tap," replaying packets out a given interface.

To install Daemonlogger you need Libdnet (I used libdnet-1.11 on FreeBSD 6.x).

You can use Daemonlogger to capture packets in ring buffer mode, similar to what Tcpdump , Tshark, and Dumpcap offer.

First, the help output.

cel433:/nsm/daemonlogger# /usr/local/src/daemonlogger-0.9/daemonlogger -h
USAGE: daemonlogger [-options] <bpf filter>
-c <count> Log <count> packets and exit
-d Daemonize at startup
-f <bpf file> Load BPF filter from <bpf file>
-g <group name> Set group ID to <group name>
-h Show this usage statement
-i <intf> Grab packets from interface <intf>
-l <path> Log to directory <path>
-m <count> Generate <count> log files and quit
-n <name> Set output filename prefix to <name>
-o <outf> Disable logging, retransmit data from
<intf> to <outf>
-p <pidfile> Use <pidfile> for PID filename
-P <pidpath> Use <pidpath> for PID directory
-r Activate ringbuffer mode
-R <pcap file> Read packets from <pcap file>
-s <bytes> Rollover the log file every <bytes>
-t <seconds> Rollover the log file every <seconds>
-u <user name> Set user ID to <user name>
-v Show daemonlogger version

Let's tell Daemonlogger to run as user sguil group sguil, in ring buffer mode, collecting three traces of 10 KB each while ignoring ARP.

cel433:/usr/local/src/daemonlogger-0.9# ./daemonlogger -l /nsm/daemonlogger
-i dc0 -r -s 10240 -m 3 -n dl.test -u sguil -g sguil not arp
[-] Logpath set to /nsm/daemonlogger
[-] Interface set to dc0
[-] Ringbuffer active
[-] Rollover size set to 10240 bytes
[-] Max files to write set to 3
[-] Log filename set to "dl.test"[-] Setting user ID to sguil
[-] Setting group ID to sguil

-*> DaemonLogger <*-
Version 0.9

By Martin Roesch
(C) Copyright 2006-2007 Sourcefire Inc., All rights reserved
sniffing on interface dc0
start_sniffing() device dc0 network lookup: dc0: no IPv4 address assigned
Logging packets to /nsm/daemonlogger/dl.test.1175873460

As 10 KB of traffic is collected, a new file is started:

Rolling over logfile...
Logging packets to /nsm/daemonlogger/dl.test.1175873490

And so on...

Rolling over logfile...
Logging packets to /nsm/daemonlogger/dl.test.1175873491

When three files have been saved, the oldest is deleted and a new one is created.

Rolling over logfile...
[!] Ringbuffer: deleting /nsm/daemonlogger/dl.test.1175873441
Logging packets to /nsm/daemonlogger/dl.test.1175873493

And the process continues until killed.

Rolling over logfile...
[!] Ringbuffer: deleting /nsm/daemonlogger/dl.test.1175873460
Logging packets to /nsm/daemonlogger/dl.test.1175873495
^CQuitting!

This is what we are left with.

cel433:/usr/local/src/daemonlogger-0.9# ls -al /nsm/daemonlogger/
total 50
drwxr-xr-x 2 sguil sguil 512 Apr 6 11:31 .
drwxr-xr-x 10 sguil sguil 512 Apr 6 11:27 ..
-rw-r--r-- 1 sguil sguil 11091 Apr 6 11:31 dl.test.1175873490
-rw-r--r-- 1 sguil sguil 10823 Apr 6 11:31 dl.test.1175873491
-rw-r--r-- 1 sguil sguil 11342 Apr 6 11:31 dl.test.1175873493
-rw-r--r-- 1 sguil sguil 9875 Apr 6 11:31 dl.test.1175873495

This is only one way to use Daemonlogger. When 0.9 appears at Snort.org, download it and try out the other features.

I think we might use Daemonlogger in Sguil's log_packets.sh script, as I posted here.

Thanks to Marty Roesch for writing a real Open Source tool and adding features to meet requests posted in IRC this week.

Update: Marty pointed out that combining the -R option to read in a trace with the -o output option makes Daemonlogger a simple version of Tcpreplay:

cel433:/usr/local/src/daemonlogger-0.9# ./daemonlogger -R
/nsm/daemonlogger/dl.test.1175873490 -o xl0
[-] In readback mode
[-] Tap output interface set to xl0
-*> DaemonLogger <*-
Version 0.9

By Martin Roesch
(C) Copyright 2006-2007 Sourcefire Inc., All rights reserved
Reading network traffic from "/nsm/daemonlogger/dl.test.1175873490" file.

snaplen = 65536

He's right -- that works!

Comments

Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
I have a mostly working port of daemonlogger ready. I'm hoping to finish up the RC script this week and get it included in the ports tree.
Anonymous said…
Today another update for daemonlogger

[...]
2007-04-09 mfr
* Added -S switch for user adjustable snaplen

2007-04-05 mfr
* Added -u/-g/-R switches for file readback and priv dropping
* Fixed file rotation code
[...]

You can run it now under non-root privileges

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics