.\" Generated by scdoc 1.11.2 .\" Complete documentation for this program is not available as a GNU info page .ie \n(.g .ds Aq \(aq .el .ds Aq ' .nh .ad l .\" Begin generated content: .TH "sniffglue" "1" "2024-01-07" .P .SH NAME .P sniffglue - secure multithreaded packet sniffer .P .SH SYNOPSIS .P \fBsniffglue [-vrpVh] [-n ]\fR \fIdevice\fR .P .SH DESCRIPTION .P \fBsniffglue\fR is a network sniffer written in rust.\& Network packets are parsed concurrently using a thread pool to utilize all cpu cores.\& Project goals are that you can run \fBsniffglue\fR securely on untrusted networks and that it must not crash when processing packets.\& The output should be as useful as possible by default.\& .P .SH OPTIONS .P \fB-v\fR, \fB--verbose\fR .RS 4 Increase filter sensitivity to show more (possibly less useful) packets.\& The default only shows few packets, this flag can be specified multiple times.\& (maximum: 4) .P .RE \fB-h\fR, \fB--help\fR .RS 4 Prints help information.\& .P .RE \fB-p\fR, \fB--promisc\fR .RS 4 Set \fIdevice\fR to promiscuous mode.\& .P .RE \fB-r\fR, \fB--read\fR .RS 4 Open \fIdevice\fR as pcap file.\& .P .RE \fB-n\fR, \fB--threads\fR \fIthreads\fR .RS 4 Specify the number of threads.\& .P .RE \fB-V\fR, \fB--version\fR .RS 4 Prints version information.\& If \fB-r\fR was specified, open as pcap file instead.\& .P .RE .SH EXAMPLES .P Sniff with default filters (dhcp, dns, tls, http) from \fIenp0s25\fR: .P .RS 4 \fBsniffglue enp0s25\fR .P .RE Increase the filter sensitivity (arp): .P .RS 4 \fBsniffglue -v enp0s25\fR .P .RE Increase the filter sensitivity (cjdns, ssdp, dropbox, packets with valid utf8) .P .RS 4 \fBsniffglue -vv enp0s25\fR .P .RE Almost everything .P .RS 4 \fBsniffglue -vvv enp0s25\fR .P .RE Everything .P .RS 4 \fBsniffglue -vvvv enp0s25\fR .P .RE Read a dump from \fIsniff.\&pcap\fR, with increased filter sensitivity and decode packets with 1 thread: .P .RS 4 \fBsniffglue -vvrn1 sniff.\&pcap\fR .P .RE .SH PROTOCOLS .P \fBethernet\fR, \fBipv4\fR, \fBipv6\fR, \fBarp\fR, \fBtcp\fR, \fBudp\fR, \fBhttp\fR, \fBtls\fR, \fBdns\fR, \fBdhcp\fR, \fBcjdns eth beacons\fR, \fBssdp\fR, \fBdropbox beacons\fR .P .SH SECURITY .P To report a security issue please contact kpcyrd on ircs://irc.\&hackint.\&org.\& .P .SS SECCOMP .P To ensure a compromised process doesn'\&t compromise the system, sniffglue uses seccomp to restrict the syscalls that can be used after the process started.\& This is done in two stages, first at the very beginning (directly after env_logger initialized) and once after the sniffer has been setup, but before packets are read from the network.\& .P .SS HARDENING .P During the second stage, there'\&s also some general hardening that is applied before all unneeded syscalls are finally disabled.\& Those are system specific, so a configuration file is read from \fB/etc/sniffglue.\&conf\fR.\& This config file specifies an empty directory for \fBchroot\fR and an unprivileged account in \fBuser\fR that is used to drop root privileges.\& .P .SS FUZZING .P The packet processing of \fBsniffglue\fR can be fuzzed using \fIcargo-fuzz\fR.\& Everything you should need is provided in the \fIfuzz/\fR directory that is distributed along with its source code.\& Please note that this program links to \fIlibpcap\fR which is not included in the current fuzzing configuration.\& .P .SH SEE ALSO .P \fBpcap(3PCAP)\fR, \fBseccomp(2)\fR .P .SH AUTHORS .P This program was originally written and is currently maintained by kpcyrd.\& Bug reports and patches are welcome on github: .P .RS 4 \fIhttps://github.\&com/kpcyrd/sniffglue\fR