blob: 8d71005d71446003aefd60a7db1a194c9436147b (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
gg_sniff - glouglou probe client for network activity
WARNING: Work in progress, don't expect this to work !
Requirements
============
* libglouglou
* libpcap
* libevent2
* libbsd (linux only)
Installation
============
git clone git@meg:glouglou
cd gg_sniff
make && sudo make install
Usage
=====
gg_sniff -i eth0
Notes on architecture and security
==================================
gg_sniff must be run as root. It drops priviledges to user _gg_sniff and chroots
into _gg_sniff user home (/var/empty).
gg_sniff does:
* configuration, glouglou server reporting, droppriv and chroot (gg_sniff.c)
* read pcapfd to capture network traffic (pcap.c)
* async DNS resolving using evdns (dns.c)
Note that gg_sniff activates extra protections on libpcap file descriptor, by
setting it to readonly, for now on OpenBSD only.
It does so by reimplementing some of libpcap functions, see
pcap.c my_pcap_open_live()
Limitations
===========
If your dns server changes during gg_sniff execution, gg_sniff will keep using
the old ones.
The only fix is to restart the gg_sniff process.
|