From aldeid
Jump to: navigation, search
This page is still a draft. Thank you for your understanding.


What is daemonlogger

Daemonlogger is a packet logger and soft tap based on libpcap. It has two runtime modes:

  • It sniffs packets and spools them straight to the disk and can daemonize itself for background packet logging.
  • It sniffs packets and rewrites them to a second interface, essentially acting as a soft tap.

The tool has been written by Marty Roesch from Sourcefire Inc.

What differences with tcpdump?

This section/article is being written and is therefore not complete.
Thank you for your comprehension.



First install libdnet

$ cd /data/src/
$ wget http://transact.dl.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz
$ tar xvzf libdnet-1.11.tar.gz
$ cd libdnet-1.11/
$ ./configure
$ make
# make install


$ cd /data/src/
$ wget http://www.snort.org/users/roesch/code/daemonlogger-1.2.1.tar.gz
$ tar xzvf daemonlogger-1.2.1.tar.gz
$ cd daemonlogger-1.2.1/
$ ./configure
$ make
# make install



daemonlogger [-options] <bpf filter>


-c <count>
Log <count> packets and exit
Daemonize at startup
-f <bpf file>
Load BPF filter from <bpf file>
Flush the pcap buffer for each packet
-g <group name>
Set group ID to <group name>
Show this usage statement
-i <intf>
Grab packets from interface <intf>
-l <path>
Log to directory <path>
-m <count>
Generate <count> log files and quit
-M <pct>
In ringbuffer mode log data to <pct> of volume capacity
-n <name>
Set output filename prefix to <name>
-o <outf>
Disable logging, retransmit data from <intf> to <outf>
-p <pidfile>
Use <pidfile> for PID filename
-P <pidpath>
Use <pidpath> for PID directory
Activate ringbuffer mode
-R <pcap file>
Read packets from <pcap file>
-s <bytes>
Rollover the log file every <bytes>
-S <snaplen>
Capture <snaplen> bytes per packet
Rollover the log file on time intervals
-u <user name>
Set user ID to <user name>
Show daemonlogger version


Example 1: Basic Sniffing with ring

This example shows how to sniff on eth1 with ring option active (which means you allocate a certain amount of disk space for your capture):

# /usr/local/bin/daemonlogger \
  -i eth1 \
  -l /tmp \
  -m 5 \
  -n testcap \
  -r \
  -s 1073741824\
  -S 1515
[-] Interface set to eth1
[-] Logpath set to /tmp
[-] Max files to write set to 5
[-] Log filename set to "testcap"
[-] Pidfile configured to "daemonlogger.pid"
[-] Pidpath configured to "/var/run"
[-] Ringbuffer active
[-] Rollover size set to 1073741824 bytes
[-] Snaplen set to 1515
[-] Rollover time configured for 0 seconds
[-] Pruning behavior set to oldest IN DIRECTORY

-*> DaemonLogger <*-
Version 1.2.1
By Martin Roesch
(C) Copyright 2006-2007 Sourcefire Inc., All rights reserved

Checking partition stats for log directory "/tmp/."
sniffing on interface eth1
Logging packets to /tmp/testcap.1312899477