blob: 095384c35b89bc8ac52cd5f2a3f4f51ac1c6f2e9 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
gg_sniff - glouglou probe client for network activity
Requirements
============
* libglouglou
* libpcap
* libevent2
* libbsd (linux only)
Installation
============
make && sudo make install
Usage
=====
sudo gg_sniff
sudo gg_sniff -i eth0
sudo gg_sniff -i eth0 10.137.2.9
sudo gg_sniff -v -f "not port 4430 and not port 4431 and net 10.137.2.0/24" 10.137.2.9
(10.137.2.9 is where glougloud is)
Notes on capture
================
By default gg_sniff captures on any interfaces (works on Linux only).
By default the capture filter is "not port 4430 and not port 4431 and not port 53".
You can change it via -f, but dont forget to keep filtering out port 4430 and
port 4431 because those are the ports used by glouglou itself !
Notes on architecture and security
==================================
gg_sniff must be run as root. It drops priviledges to user _gg_sniff and chroots
into _gg_sniff user home (/var/empty).
gg_sniff does:
* configuration, glouglou server reporting, droppriv and chroot (gg_sniff.c)
* read pcapfd to capture network traffic (pcap.c)
* async DNS resolving using evdns (dns.c)
Note that gg_sniff activates extra protections on libpcap file descriptor, by
setting it to readonly, for now on OpenBSD only.
It does so by reimplementing some of libpcap functions, see
pcap.c my_pcap_open_live()
Limitations
===========
If your dns server changes during gg_sniff execution, gg_sniff will keep using
the old ones.
The only fix is to restart the gg_sniff process.
|
