On Sun, Dec 2, 2012 at 11:16 PM, Doug Burks <[email protected]> wrote: > For my planning, when do you expect the next official release?
If everything goes well, I hope in January/February 2013. > On Sun, Dec 2, 2012 at 4:23 PM, Doug Burks <[email protected]> wrote: >> Thanks! >> Doug >> >> On Sun, Dec 2, 2012 at 4:15 PM, Daniel Borkmann <[email protected]> >> wrote: >>> On Sun, Dec 2, 2012 at 10:11 PM, Doug Burks <[email protected]> wrote: >>>> Well, since you asked... :) >>>> >>>> I know I can do the following to allow netsniff-ng to be run as a non-root >>>> user: >>>> sudo setcap cap_net_raw,cap_ipc_lock,cap_sys_admin,cap_net_admin=eip >>>> netsniff-ng >>>> >>>> But it would be quite nice if netsniff-ng had internal support for >>>> dropping to a non-root user after opening the eth device. Many other >>>> pcap tools (such as daemonlogger, snort, suricata, etc.) support this >>>> via command-line arguments like: >>>> -u user -g group >>>> OR >>>> --user user --group group >>>> >>>> Thoughts? >>> >>> Good point! >>> >>> I'll add this to the TODOs for the next official release. >>> >>>> On Sun, Dec 2, 2012 at 3:50 PM, Daniel Borkmann <[email protected]> >>>> wrote: >>>>> By the way, if you have any other feature requests / wishes (besides >>>>> the list in TODO) that might be useful for many users, let us know, >>>>> and we'd be happy to further improve the toolkit. >>>>> >>>>> On Sun, Dec 2, 2012 at 5:49 PM, Daniel Borkmann <[email protected]> >>>>> wrote: >>>>>> On Sun, Dec 2, 2012 at 5:47 PM, Doug Burks <[email protected]> wrote: >>>>>>> Thanks for the always fast response! Deploying the "tcpdump -dd" >>>>>>> solution now. >>>>>> >>>>>> Thanks! >>>>>> >>>>>> If we have something new regarding bpfc, I'll announce it on the list >>>>>> anyway. >>>>>> >>>>>>> On Sun, Dec 2, 2012 at 9:00 AM, Daniel Borkmann >>>>>>> <[email protected]> wrote: >>>>>>>> On Sun, Dec 2, 2012 at 2:55 PM, Doug Burks <[email protected]> >>>>>>>> wrote: >>>>>>>>> On Tue, Oct 30, 2012 at 10:41 AM, Daniel Borkmann >>>>>>>>> <[email protected]> wrote: >>>>>>>>> <snip> >>>>>>>>>>> -f /etc/nsm/$HOSTNAME-$INTERFACE/bpf-pcap.conf >>>>>>>>>>> This should be the same option in netsniff-ng, but my understanding >>>>>>>>>>> is >>>>>>>>>>> that I'll need to convert my "human-readable" bpf-pcap.conf using >>>>>>>>>>> "tcpdump -dd"? >>>>>>>>>> >>>>>>>>>> Yes, it you want to use filters and bpf-pcap.conf contains >>>>>>>>>> tcpdump-like filters, run them through "tcpdump -dd <my filter>" > >>>>>>>>>> out.ops and then pass out.ops to netsniff-ng via "--filter out.ops". >>>>>>>>>> That's it; netsniff-ng will then automatically enable the BPF JIT if >>>>>>>>>> it's available in your kernel. This feature translates BPF filters >>>>>>>>>> into architecture optimized machine opcodes within the kernel. >>>>>>>>> >>>>>>>>> We've officially replaced daemonlogger with netsniff-ng and it appears >>>>>>>>> to be working well! However, we haven't included BPF functionality >>>>>>>>> yet, so I need to add that now. I can do what's described above, but >>>>>>>>> the FAQ also says: >>>>>>>> >>>>>>>> Cool, I'm very happy about that! >>>>>>>> >>>>>>>>> "If you try to create custom socket filters with tcpdump -dd, you have >>>>>>>>> to edit the ret opcode (0x6) of the resulting filter, otherwise your >>>>>>>>> payload will be cut off: >>>>>>>>> >>>>>>>>> 0x6, 0, 0, 0xFFFFFFFF instead of 0x6, 0, 0, 0x00000060 >>>>>>>>> >>>>>>>>> The Linux kernel now takes skb->len instead of 0xFFFFFFFF. If you do >>>>>>>>> not change it, the kernel will take 0x00000060 as buffer length and >>>>>>>>> packets larger than 96 Byte will be cut off (filled with zero Bytes)! >>>>>>>>> It's a bug in libpcaps filter compiler. Detailed information about >>>>>>>>> this issue can be found on our blog post." >>>>>>>>> >>>>>>>>> The linked blog post is no longer available. So is this an issue I >>>>>>>>> need to be concerned about? >>>>>>>> >>>>>>>> Actually not anymore. I use Fedora and the tcpdump version there >>>>>>>> outputs: >>>>>>>> >>>>>>>> # tcpdump -dd ip >>>>>>>> tcpdump: WARNING: eth0: no IPv4 address assigned >>>>>>>> { 0x28, 0, 0, 0x0000000c }, >>>>>>>> { 0x15, 0, 1, 0x00000800 }, >>>>>>>> { 0x6, 0, 0, 0x0000ffff }, >>>>>>>> { 0x6, 0, 0, 0x00000000 }, >>>>>>>> >>>>>>>> So they have changed this from 0x00000060 into 0x0000ffff. >>>>>>>> >>>>>>>> For bpfc itself, I didn't have time to finish the high-level compiler, >>>>>>>> yet. We have an assembler-like compiler where you can also create >>>>>>>> filters with, but for usability you can use the method described >>>>>>>> above, of course. >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Doug Burks >>>>>>> http://securityonion.blogspot.com >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> >>>>> >>>>> -- >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> Doug Burks >>>> http://securityonion.blogspot.com >>>> >>>> -- >>>> >>>> >>> >>> -- >>> >>> >> >> >> >> -- >> Doug Burks >> http://securityonion.blogspot.com > > > > -- > Doug Burks > http://securityonion.blogspot.com > > -- > > --
