For my planning, when do you expect the next official release? Thanks, Doug
On Sun, Dec 2, 2012 at 4:23 PM, Doug Burks <[email protected]> wrote: > Thanks! > Doug > > On Sun, Dec 2, 2012 at 4:15 PM, Daniel Borkmann <[email protected]> > wrote: >> On Sun, Dec 2, 2012 at 10:11 PM, Doug Burks <[email protected]> wrote: >>> Well, since you asked... :) >>> >>> I know I can do the following to allow netsniff-ng to be run as a non-root >>> user: >>> sudo setcap cap_net_raw,cap_ipc_lock,cap_sys_admin,cap_net_admin=eip >>> netsniff-ng >>> >>> But it would be quite nice if netsniff-ng had internal support for >>> dropping to a non-root user after opening the eth device. Many other >>> pcap tools (such as daemonlogger, snort, suricata, etc.) support this >>> via command-line arguments like: >>> -u user -g group >>> OR >>> --user user --group group >>> >>> Thoughts? >> >> Good point! >> >> I'll add this to the TODOs for the next official release. >> >>> On Sun, Dec 2, 2012 at 3:50 PM, Daniel Borkmann <[email protected]> >>> wrote: >>>> By the way, if you have any other feature requests / wishes (besides >>>> the list in TODO) that might be useful for many users, let us know, >>>> and we'd be happy to further improve the toolkit. >>>> >>>> On Sun, Dec 2, 2012 at 5:49 PM, Daniel Borkmann <[email protected]> >>>> wrote: >>>>> On Sun, Dec 2, 2012 at 5:47 PM, Doug Burks <[email protected]> wrote: >>>>>> Thanks for the always fast response! Deploying the "tcpdump -dd" >>>>>> solution now. >>>>> >>>>> Thanks! >>>>> >>>>> If we have something new regarding bpfc, I'll announce it on the list >>>>> anyway. >>>>> >>>>>> On Sun, Dec 2, 2012 at 9:00 AM, Daniel Borkmann <[email protected]> >>>>>> wrote: >>>>>>> On Sun, Dec 2, 2012 at 2:55 PM, Doug Burks <[email protected]> wrote: >>>>>>>> On Tue, Oct 30, 2012 at 10:41 AM, Daniel Borkmann >>>>>>>> <[email protected]> wrote: >>>>>>>> <snip> >>>>>>>>>> -f /etc/nsm/$HOSTNAME-$INTERFACE/bpf-pcap.conf >>>>>>>>>> This should be the same option in netsniff-ng, but my understanding >>>>>>>>>> is >>>>>>>>>> that I'll need to convert my "human-readable" bpf-pcap.conf using >>>>>>>>>> "tcpdump -dd"? >>>>>>>>> >>>>>>>>> Yes, it you want to use filters and bpf-pcap.conf contains >>>>>>>>> tcpdump-like filters, run them through "tcpdump -dd <my filter>" > >>>>>>>>> out.ops and then pass out.ops to netsniff-ng via "--filter out.ops". >>>>>>>>> That's it; netsniff-ng will then automatically enable the BPF JIT if >>>>>>>>> it's available in your kernel. This feature translates BPF filters >>>>>>>>> into architecture optimized machine opcodes within the kernel. >>>>>>>> >>>>>>>> We've officially replaced daemonlogger with netsniff-ng and it appears >>>>>>>> to be working well! However, we haven't included BPF functionality >>>>>>>> yet, so I need to add that now. I can do what's described above, but >>>>>>>> the FAQ also says: >>>>>>> >>>>>>> Cool, I'm very happy about that! >>>>>>> >>>>>>>> "If you try to create custom socket filters with tcpdump -dd, you have >>>>>>>> to edit the ret opcode (0x6) of the resulting filter, otherwise your >>>>>>>> payload will be cut off: >>>>>>>> >>>>>>>> 0x6, 0, 0, 0xFFFFFFFF instead of 0x6, 0, 0, 0x00000060 >>>>>>>> >>>>>>>> The Linux kernel now takes skb->len instead of 0xFFFFFFFF. If you do >>>>>>>> not change it, the kernel will take 0x00000060 as buffer length and >>>>>>>> packets larger than 96 Byte will be cut off (filled with zero Bytes)! >>>>>>>> It's a bug in libpcaps filter compiler. Detailed information about >>>>>>>> this issue can be found on our blog post." >>>>>>>> >>>>>>>> The linked blog post is no longer available. So is this an issue I >>>>>>>> need to be concerned about? >>>>>>> >>>>>>> Actually not anymore. I use Fedora and the tcpdump version there >>>>>>> outputs: >>>>>>> >>>>>>> # tcpdump -dd ip >>>>>>> tcpdump: WARNING: eth0: no IPv4 address assigned >>>>>>> { 0x28, 0, 0, 0x0000000c }, >>>>>>> { 0x15, 0, 1, 0x00000800 }, >>>>>>> { 0x6, 0, 0, 0x0000ffff }, >>>>>>> { 0x6, 0, 0, 0x00000000 }, >>>>>>> >>>>>>> So they have changed this from 0x00000060 into 0x0000ffff. >>>>>>> >>>>>>> For bpfc itself, I didn't have time to finish the high-level compiler, >>>>>>> yet. We have an assembler-like compiler where you can also create >>>>>>> filters with, but for usability you can use the method described >>>>>>> above, of course. >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Doug Burks >>>>>> http://securityonion.blogspot.com >>>>>> >>>>>> -- >>>>>> >>>>>> >>>> >>>> -- >>>> >>>> >>> >>> >>> >>> -- >>> Doug Burks >>> http://securityonion.blogspot.com >>> >>> -- >>> >>> >> >> -- >> >> > > > > -- > Doug Burks > http://securityonion.blogspot.com -- Doug Burks http://securityonion.blogspot.com --
