0

sniffglue

Secure multithreaded packet sniffer

Official Site
Github repo
Main metrics

Github stars Tracking Chart

sniffglue Build Status Crates.io

sniffglue is a network sniffer written in rust. Network packets are parsed concurrently
using a thread pool to utilize all cpu cores. Project goals are that you can
run sniffglue securely on untrusted networks and that it must not crash
when processing packets. The output should be as useful as possible by default.

screenshot

Usage

# sniff with default filters (dhcp, dns, tls, http)
sniffglue enp0s25
# increase the filter sensitivity (arp)
sniffglue -v enp0s25
# increase the filter sensitivity (cjdns, ssdp, dropbox, packets with valid utf8)
sniffglue -vv enp0s25
# almost everything
sniffglue -vvv enp0s25
# everything
sniffglue -vvvv enp0s25

Installation

There is an official package available for archlinux:

pacman -S sniffglue

There's also a package available in debian unstable (still trying to get it to testing):

apt install sniffglue

To build from source make sure you have libpcap and libseccomp installed. On
debian based systems:

# install the dependencies
sudo apt install libpcap-dev libseccomp-dev
# install rust with rustup
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs, sh
source $HOME/.cargo/env
# install sniffglue and test it
cargo install sniffglue
sniffglue --help

Protocols

  • ethernet
  • ipv4
  • ipv6
  • arp
  • tcp
  • udp
  • icmp
  • http
  • tls
  • dns
  • dhcp
  • cjdns eth beacons
  • ssdp
  • dropbox beacons
  • 802.11

Docker

You can build sniffglue as a docker image to debug container setups. The image
is currently about 11.1MB. It is recommended to push it to your own registry.

docker build -t sniffglue .
docker run -it --init --rm --net=host sniffglue eth0

Security

To report a security issue please contact kpcyrd on ircs://irc.hackint.org.

Seccomp

To ensure a compromised process doesn't compromise the system, sniffglue uses
seccomp to restrict the syscalls that can be used after the process started.
This is done in two stages, first at the very beginning (directly after
env_logger initialized) and once after the sniffer has been setup, but before
packets are read from the network.

Hardening

During the second stage, there's also some general hardening that is applied
before all unneeded syscalls are finally disabled. Those are system specific,
so a configuration file is read from /etc/sniffglue.conf. This config
file specifies an empty directory for chroot and an unprivileged account
in user that is used to drop root privileges.

boxxy-rs

This project includes a small boxxy-rs based shell that can be used to
explore the sandbox at various stages during and after initialization. This is
also used by travis to ensure the sandbox actually blocks syscalls.

cargo run --example boxxy

Reproducible builds

This project is tested using reprotest. Currently the following variations are
excluded:

  • -time - needed because the crates.io cert expires in the future
  • -domain_host - requires root for unshare(2) and has been excluded

Don't forget to install the build dependencies.

ci/reprotest.sh

Fuzzing

The packet processing of sniffglue can be fuzzed using cargo-fuzz.
Everything you should need is provided in the fuzz/ directory that is
distributed along with its source code. Please note that this program links
to libpcap which is not included in the current fuzzing configuration.

cargo fuzz run read_packet

License

GPLv3+

Overview

Name With Ownerkpcyrd/sniffglue
Primary LanguageRust
Program languageRust (Language Count: 4)
Platform
License:GNU General Public License v3.0
Release Count24
Last Release Namev0.16.0 (Posted on )
First Release Namev0.1.0 (Posted on )
Created At2017-09-12 16:26:24
Pushed At2024-01-07 17:13:46
Last Commit At
Stargazers Count1.1k
Watchers Count20
Fork Count94
Commits Count356
Has Issues Enabled
Issues Count35
Issue Open Count13
Pull Requests Count83
Pull Requests Open Count3
Pull Requests Close Count6
Has Wiki Enabled
Is Archived
Is Fork
Is Locked
Is Mirror
Is Private
To the top