blob: 8d71005d71446003aefd60a7db1a194c9436147b (plain
gg_sniff - glouglou probe client for network activity
WARNING: Work in progress, don't expect this to work !
* libbsd (linux only)
git clone git@meg:glouglou
make && sudo make install
gg_sniff -i eth0
Notes on architecture and security
gg_sniff must be run as root. It drops priviledges to user _gg_sniff and chroots
into _gg_sniff user home (/var/empty).
* configuration, glouglou server reporting, droppriv and chroot (gg_sniff.c)
* read pcapfd to capture network traffic (pcap.c)
* async DNS resolving using evdns (dns.c)
Note that gg_sniff activates extra protections on libpcap file descriptor, by
setting it to readonly, for now on OpenBSD only.
It does so by reimplementing some of libpcap functions, see
If your dns server changes during gg_sniff execution, gg_sniff will keep using
the old ones.
The only fix is to restart the gg_sniff process.