aboutsummaryrefslogblamecommitdiffstats
path: root/gg_sniff/README.txt
blob: 8d71005d71446003aefd60a7db1a194c9436147b (plain) (tree)
1
2
3
4
5
6
7
8
9
10









                                                      
                     


























                                                                                






                                                                              
gg_sniff - glouglou probe client for network activity

WARNING: Work in progress, don't expect this to work !

Requirements
============

* libglouglou
* libpcap
* libevent2
* libbsd (linux only)

Installation
============

git clone git@meg:glouglou
cd gg_sniff
make && sudo make install

Usage
=====

gg_sniff -i eth0

Notes on architecture and security
==================================

gg_sniff must be run as root. It drops priviledges to user _gg_sniff and chroots
into _gg_sniff user home (/var/empty).
gg_sniff does:
* configuration, glouglou server reporting, droppriv and chroot (gg_sniff.c)
* read pcapfd to capture network traffic (pcap.c)
* async DNS resolving using evdns (dns.c)

Note that gg_sniff activates extra protections on libpcap file descriptor, by
setting it to readonly, for now on OpenBSD only.
It does so by reimplementing some of libpcap functions, see
pcap.c my_pcap_open_live()

Limitations
===========

If your dns server changes during gg_sniff execution, gg_sniff will keep using
the old ones.
The only fix is to restart the gg_sniff process.