Net2PCAP
Download net2pcap. Please audit ! Send remarks to
phil@secdev.org and nico@chdir.org
Maybe PCAPdispatcher will help you to analyse
your captures.
Abstract
Net2PCAP is a simple network to pcap capture file for Linux. Its goal is to be
as simple as possible (hence auditable) so that good confidence
can be reached, for it to be used in hostile environments. It does not use any
library except a bit of libc. It does not do
anything except dumping network traffic from an interface to a
pcap file. It is less than 400 lines of C. Please audit it !
Comparison with tcpdump
Yes, tcpdump -w capfile can do almost the same. But the goal
of tcpdump is network debugging (thus, lot of options, packet disassembly,
etc.). The goal of net2pcap is to capture traffic into a file in hostile
environments (honeypots, internet, etc.) for future analysis.
- net2pcap can run in daemon mode
- net2pcap can reopen its capture file (SIGHUP) (used for capture file rotation)
- net2pcap does not do anything else than reading from network and dumping to file
- net2pcap does not use libpcap
- net2pcap runs only on Linux
- net2pcap is auditable (less than 400 lines)
Usage
$ ./net2pcap -h
Usage: net2pcap -i interface [-pdx] [-f capfile] [-t ethertype] [-s snaplen]
-p : doesn't go promiscuous
-d : daemon mode (background + uses syslog)
-x : hexdumps every packet on output (if not daemon)
snaplen defaults to 1600
capfile defaults to net2pcap.cap
ethertype defaults to ETH_P_ALL (sniff all)
Capture file rotation
If the capture file already exists, packets are appended.
When SIG_HUP is delivered to net2pcap, it will close and reopen the file.
Thus, you can rotate capture files without loosing any packet :
# net2pcap -i eth0 -f pcapfile -d
And every day (for a 1 day archive) :
# mv pcapfile pcapfile.0
# killall -HUP net2pcap