PLABS
softwareguideswar roomaboutgo-home

Slackware Linux: IP Traffic Logger/Capture w/ Daemonlogger
May 9, 2011

Operating System
Platform
Applications
Slackware
x86_64
Daemonlogger

I. Abstract

This document describes the process of setting up an IP traffic packet logging system on the x86 platform with Slackware Linux. We will be using Daemonlogger by Martin Roesch.

The configuration assumed for this guide consists of two network interfaces. One will be for management and one will be connected to the network SPAN, TAP or hub on the edge device to monitor all traffic.

Daeomonlogger Test Platform:

  • IBM xSeries 345 (w/ 2 Gigabit NICs)
  • 2x Intel XEON 2.66Ghz CPUs / 3GB RAM
  • Slackware 13.37 (x86)

Keep in mind that this document does not cover hardening the system. That process is outlined in other documents from myself or others. This machine needs to be well protected. It may be in a very vulnerable position, facing that filthy and scary Internet.

You will need root access to do most of these tasks.


II. Install and Setup the Operating Environment

I believe in an operating system configuration that is as minimal as possible. Because of this, I've created a set of "tagfiles" tailored specifically for this system's purpose. Download tagfiles.tar and extract the contents to a floppy or USB thumb drive... whichever your system can support. Now plug in the drive or insert the floppy into the target system.

After booting the installation media, you will be asked to login as root. After this, you need to mount the media that contains the tagfiles from that .tar file. If you're using a floppy, do this:

root@slackware:/# mkdir /tagfiles
root@slackware:/# mount /dev/fd0 /tagfiles

If you're using a USB drive, enter fdisk -l to find out the device name of your drive. For example, mine is /dev/sdg1:

root@slackware:/# mkdir /tagfiles
root@slackware:/# mount /dev/sdg1 /tagfiles

Don't forget to setup your hard drive(s) using fdisk. I won't go into those details, just make sure /usr and /var have a decent amount of space in each. Also, I suggest mounting your storage location separate, i.e. another drive (or RAID, or remote filesystem). I won't detail that process, but for this guide I have a 5 drive RAID ext4 filesystem mounted as /net-data. Depending on the amount of traffic you will be capturing, make this as large as possible and figure out a policy for either/or backing up this data for archival use and setting the overwrite/FIFO data writing schedule.

Now type setup and continue the normal installation process. When prompted for the PACKAGE SERIES SELECTION, choose the following:

[*]
A Base Linux system
[*]
AP Various Applications that do not need X
[*]
D Program Development (C, C++, Lisp, Perl, etc.)
[ ]
E GNU Emacs
[ ]
F FAQ lists, HOWTO documentation
[*]
K Linux kernel source
[ ]
KDE Qt and the K Desktop Environment for X
[ ]
KDEI International language support for KDE
[*]
L System Libraries (needed by KDE, GNOME, X, and more)
[*]
N Networking (TCP/IP, UUCP, Mail, News)
[ ]
T TeX typesetting software
[ ]
TCL Tcl/Tk script languages
[ ]
X X Window System
[ ]
XAP X Applications
[ ]
Y Games

When asked about the prompting mode, select tagpath and hit enter. Now enter the following path line:

/tagfiles

The automated installation should now begin. Go get a sandwich. When it finished installing the file sets, pull the USB drive! I've noticed it messes up the LILO/MBR installation if left in for the rest of the installation.

When configuring the network, set one interface as your internal (LAN) NIC. We will configure the Internet facing interface later.

When asked which services to run at startup, select only what you need (ntpd, sshd and syslog). When finished, reboot and continue.

III. Get and Apply Security Updates and Configure NTP

We want to stay current, with a stable and secure operating environment. The newer releases of Slackware make this simple. First, edit the /etc/slackpkg/mirrors file by un-commenting a mirror close to you (be careful to choose either the x86 or x64 sites, depending on your platform!). Then, do the following:

# slackpkg update && slackpkg upgrade-all

This command will hunt down updates applicable to your environment. A dialog should pop-up prompting you to select the desired packages for update. Keep them all selected and hit enter (OK).

Time accuracy is very important for any system. All you need to do is uncomment the following line in /etc/ntp.conf and the NTP daemon will do the rest:

#server pool.ntp.org iburst

Now that we are updated and the correct drive mount settings are complete, you should reboot.


IV. Compile and Install Daemonlogger

First, libdnet is a dependency. Let's do that first. I'd use ports, but the dependencies are not necessary and the port is broken anyway.

# cd /usr/src
# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
# tar zxvf libdnet-1.12.tgz
# rm libdnet-1.12.tgz
# cd libdnet-1.12
# ./configure && make && make install

Daemonlogger

# cd /usr/src
# wget http://www.snort.org/users/roesch/code/daemonlogger-1.2.1.tar.gz
# tar zxvf daemonlogger-1.2.1.tar.gz
# rm daemonlogger-1.2.1.tar.gz
# cd daemonlogger-1.2.1
# ./configure && make && make install


V. Usage, Tips and Tricks

Listening and Management Interfaces

On my system, the LAN (management) interface is eth0. I would like to use eth1 to passively sniff packets on the SPAN port of my Cisco switch. All we need to do is turn on the interface, no further configuration is needed. So just issue the following command to activate it (like I said, mine is eth1, yours may be different):

# ifconfig eth1 up

BPF

Daemonlogger is a fun and incredibly easy tool to use. To view available options, run daemonlogger -h. One of the great features is the ability to utilize the Berkeley Packet Filter (BPF). This allows you to only capture the traffic you truly care about.

For example, you can define a list of ports you'd like to either include or exclude from capture by adding them to a file and, then calling the file with the -f flag (i.e. daemonlogger -f ports.bpf). ports.bpf could contain something like this to include ports 80, 8080 and 5190:

port 80 or port 8080 or port 5190

Alternatively, you could capture all ports except 443 (HTTPS) with this in the ports.bpf file:

!port 443

Logging Management

There are a few ways you can have Daemonlogger handle packet capturing (log rollover). I will review two here: time and size.

To rollover the log file every n bytes, use the -s flag. Though undocumented, you can use -s n<k/m/g/t> (kb, mb, gb, tb) - (thanks to Marty for the note about that!). For example, to start writing to a new log file each time it reaches 1GB, you would add the following to your execution statement:

-s 1g

To rollover the log file using time increments, use the -t flag (which counts by seconds). For example, to start writing to a new log file hourly, you would add the following to your execution statement:

-t 3600

There are other options to consider when using this software. The command daemonlogger -h will list what is available.

Examples

The following command will use the ports filter file I created (-f ports.bpf), listen to traffic on interface eth1 (-i eth1), write the log files to the /net-data directory (-l /net-data), set it to rollover the log files every hour (-t 3600) and prefix each log file with DMZ (the subnet I'm listening to):

# daemonlogger -f ports.bpf -i eth1 -l /net-data -t 3600 -n dmz

The following command will use the ports filter file I created (-f ports.bpf), listen to traffic on interface eth1 (-i eth1), write the log files to the /net-data directory (-l /net-data), set it to rollover the log files each time they reach 500MB (-s 500m) and prefix each log file with DMZ (the subnet I'm listening to):

# daemonlogger -f ports.bpf -i eth1 -l /net-data -s 500m -n dmz


VI. Helpful Links

 


© 2001-2017 Procyon Labs / Randal T. Rioux