Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: Using daemonlogger as a Software Tap - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Using daemonlogger as a Software Tap

A while back, I was in need of tapping the traffic going through my Linux gateway and was looking at doing this on the "cheap", meaning to spend as little as possible on a tap to capture everything going from the internal to external and vice versa without having to put in another device (inline tap). After reviewing daemonlogger's [1] capabilities, I realized I could capture the traffic from one of the two interfaces of my gateway and forward a copy to a third interface connected to my packet sniffer.


In my rc.local file, I added the following command to get the software tap to restart each time the gateway was restarted. The configuration is simple, indicate which interface is used for the input (i.e. -i eth0) and where the software tap is located (i.e. -o eth2) by activating tap mode and finally start daemonlogger as a daemon (i.e. -d).

# Starting packet forwarding to from eth0 to eth2 for full packet capture ..."
/usr/local/sbin/daemonlogger -i eth0 -o eth2 -d

[1] https://github.com/vrtadmin/Daemonlogger

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

401 Posts
ISC Handler
Nice checkout openfpc it uses daemonlogger as backend.

http://www.openfpc.org/
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!