Re: [netsniff-ng] Replacing daemonlogger with netsniff-ng

Mon, 21 Jan 2013 02:15:46 -0800 

On 01/19/2013 02:54 PM, Doug Burks wrote:

Thanks so much!


I'd be grateful if you can test it on your system.

It should work for most cases. In netsniff-ng, I've seen that it exits 
non-gracefully
when netsniff-ng is in promisc mode, since after destroying the mmap'ed rings 
it tries
to put the card into non-promisc again, but has no rights for it (since we've 
dropped
it). I don't think it makes much sense to regain privileged rights only for the
cleanup work.


On Fri, Jan 18, 2013 at 3:37 PM, Daniel Borkmann <[email protected]> wrote:

On Sun, Dec 2, 2012 at 10:11 PM, Doug Burks <[email protected]> wrote:

Well, since you asked...  :)

I know I can do the following to allow netsniff-ng to be run as a non-root user:
sudo setcap cap_net_raw,cap_ipc_lock,cap_sys_admin,cap_net_admin=eip netsniff-ng

But it would be quite nice if netsniff-ng had internal support for
dropping to a non-root user after opening the eth device.  Many other
pcap tools (such as daemonlogger, snort, suricata, etc.) support this
via command-line arguments like:
-u user -g group
OR
--user user --group group


Done, after setup, you can now drop privileges in netsniff-ng and trafgen.


Thoughts?

Thanks for your consideration!

Doug


On Sun, Dec 2, 2012 at 3:50 PM, Daniel Borkmann <[email protected]> wrote:

By the way, if you have any other feature requests / wishes (besides
the list in TODO) that might be useful for many users, let us know,
and we'd be happy to further improve the toolkit.

On Sun, Dec 2, 2012 at 5:49 PM, Daniel Borkmann <[email protected]> wrote:

On Sun, Dec 2, 2012 at 5:47 PM, Doug Burks <[email protected]> wrote:

Thanks for the always fast response!  Deploying the "tcpdump -dd" solution now.


Thanks!

If we have something new regarding bpfc, I'll announce it on the list anyway.


On Sun, Dec 2, 2012 at 9:00 AM, Daniel Borkmann <[email protected]> wrote:

On Sun, Dec 2, 2012 at 2:55 PM, Doug Burks <[email protected]> wrote:

On Tue, Oct 30, 2012 at 10:41 AM, Daniel Borkmann
<[email protected]> wrote:
<snip>

-f /etc/nsm/$HOSTNAME-$INTERFACE/bpf-pcap.conf
This should be the same option in netsniff-ng, but my understanding is
that I'll need to convert my "human-readable" bpf-pcap.conf using
"tcpdump -dd"?


Yes, it you want to use filters and bpf-pcap.conf contains
tcpdump-like filters, run them through "tcpdump -dd <my filter>" >
out.ops and then pass out.ops to netsniff-ng via "--filter out.ops".
That's it; netsniff-ng will then automatically enable the BPF JIT if
it's available in your kernel. This feature translates BPF filters
into architecture optimized machine opcodes within the kernel.


We've officially replaced daemonlogger with netsniff-ng and it appears
to be working well!  However, we haven't included BPF functionality
yet, so I need to add that now.  I can do what's described above, but
the FAQ also says:


Cool, I'm very happy about that!


"If you try to create custom socket filters with tcpdump -dd, you have
to edit the ret opcode (0x6) of the resulting filter, otherwise your
payload will be cut off:

0x6, 0, 0, 0xFFFFFFFF instead of 0x6, 0, 0, 0x00000060

The Linux kernel now takes skb->len instead of 0xFFFFFFFF. If you do
not change it, the kernel will take 0x00000060 as buffer length and
packets larger than 96 Byte will be cut off (filled with zero Bytes)!
It's a bug in libpcaps filter compiler. Detailed information about
this issue can be found on our blog post."

The linked blog post is no longer available.  So is this an issue I
need to be concerned about?


Actually not anymore. I use Fedora and the tcpdump version there outputs:

# tcpdump -dd ip
tcpdump: WARNING: eth0: no IPv4 address assigned
{ 0x28, 0, 0, 0x0000000c },
{ 0x15, 0, 1, 0x00000800 },
{ 0x6, 0, 0, 0x0000ffff },
{ 0x6, 0, 0, 0x00000000 },

So they have changed this from 0x00000060 into 0x0000ffff.

For bpfc itself, I didn't have time to finish the high-level compiler,
yet. We have an assembler-like compiler where you can also create
filters with, but for usability you can use the method described
above, of course.

--






--
Doug Burks
http://securityonion.blogspot.com

--




--






--
Doug Burks
http://securityonion.blogspot.com

--




--








--






























					Reply via email to