Sounds good, thanks! Doug On Sunday, December 2, 2012, Daniel Borkmann wrote:
> On Sun, Dec 2, 2012 at 11:16 PM, Doug Burks > <[email protected]<javascript:;>> > wrote: > > For my planning, when do you expect the next official release? > > If everything goes well, I hope in January/February 2013. > > > On Sun, Dec 2, 2012 at 4:23 PM, Doug Burks <[email protected]> wrote: > >> Thanks! > >> Doug > >> > >> On Sun, Dec 2, 2012 at 4:15 PM, Daniel Borkmann <[email protected]> > wrote: > >>> On Sun, Dec 2, 2012 at 10:11 PM, Doug Burks <[email protected]> > wrote: > >>>> Well, since you asked... :) > >>>> > >>>> I know I can do the following to allow netsniff-ng to be run as a > non-root user: > >>>> sudo setcap cap_net_raw,cap_ipc_lock,cap_sys_admin,cap_net_admin=eip > netsniff-ng > >>>> > >>>> But it would be quite nice if netsniff-ng had internal support for > >>>> dropping to a non-root user after opening the eth device. Many other > >>>> pcap tools (such as daemonlogger, snort, suricata, etc.) support this > >>>> via command-line arguments like: > >>>> -u user -g group > >>>> OR > >>>> --user user --group group > >>>> > >>>> Thoughts? > >>> > >>> Good point! > >>> > >>> I'll add this to the TODOs for the next official release. > >>> > >>>> On Sun, Dec 2, 2012 at 3:50 PM, Daniel Borkmann < > [email protected]> wrote: > >>>>> By the way, if you have any other feature requests / wishes (besides > >>>>> the list in TODO) that might be useful for many users, let us know, > >>>>> and we'd be happy to further improve the toolkit. > >>>>> > >>>>> On Sun, Dec 2, 2012 at 5:49 PM, Daniel Borkmann < > [email protected]> wrote: > >>>>>> On Sun, Dec 2, 2012 at 5:47 PM, Doug Burks <[email protected]> > wrote: > >>>>>>> Thanks for the always fast response! Deploying the "tcpdump -dd" > solution now. > >>>>>> > >>>>>> Thanks! > >>>>>> > >>>>>> If we have something new regarding bpfc, I'll announce it on the > list anyway. > >>>>>> > >>>>>>> On Sun, Dec 2, 2012 at 9:00 AM, Daniel Borkmann < > [email protected]> wrote: > >>>>>>>> On Sun, Dec 2, 2012 at 2:55 PM, Doug Burks <[email protected]> > wrote: > >>>>>>>>> On Tue, Oct 30, 2012 at 10:41 AM, Daniel Borkmann > >>>>>>>>> <[email protected]> wrote: > >>>>>>>>> <snip> > >>>>>>>>>>> -f /etc/nsm/$HOSTNAME-$INTERFACE/bpf-pcap.conf > >>>>>>>>>>> This should be the same option in netsniff-ng, but my > understanding is > >>>>>>>>>>> that I'll need to convert my "human-readable" bpf-pcap.conf > using > >>>>>>>>>>> "tcpdump -dd"? > >>>>>>>>>> > >>>>>>>>>> Yes, it you want to use filters and bpf-pcap.conf contains > >>>>>>>>>> tcpdump-like filters, run them through "tcpdump -dd <my > filter>" > > >>>>>>>>>> out.ops and then pass out.ops to netsniff-ng via "--filter > out.ops". > >>>>>>>>>> That's it; netsniff-ng will then automatically enable the BPF > JIT if > >>>>>>>>>> it's available in your kernel. This feature translates BPF > filters > >>>>>>>>>> into architecture optimized machine opcodes within the kernel. > >>>>>>>>> > >>>>>>>>> We've officially replaced daemonlogger with netsniff-ng and it > appears > >>>>>>>>> to be working well! However, we haven't included BPF > functionality > >>>>>>>>> yet, so I need to add that now. I can do what's described > above, but > >>>> -- > > > > > > -- > > > -- Doug Burks http://securityonion.blogspot.com --
