SANS ISC: Using daemonlogger as a Software Tap

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

A while back, I was in need of tapping the traffic going through my Linux gateway and was looking at doing this on the "cheap", meaning to spend as little as possible on a tap to capture everything going from the internal to external and vice versa without having to put in another device (inline tap). After reviewing daemonlogger's [1] capabilities, I realized I could capture the traffic from one of the two interfaces of my gateway and forward a copy to a third interface connected to my packet sniffer.

In my rc.local file, I added the following command to get the software tap to restart each time the gateway was restarted. The configuration is simple, indicate which interface is used for the input (i.e. -i eth0) and where the software tap is located (i.e. -o eth2) by activating tap mode and finally start daemonlogger as a daemon (i.e. -d).

# Starting packet forwarding to from eth0 to eth2 for full packet capture ..."
/usr/local/sbin/daemonlogger -i eth0 -o eth2 -d

[1] https://github.com/vrtadmin/Daemonlogger

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu