kpcyrd / sniffglue Goto Github PK

View Code? Open in Web Editor NEW

1.1K 20.0 94.0 984 KB

Secure multithreaded packet sniffer

Home Page: https://crates.io/crates/sniffglue

License: GNU General Public License v3.0

Rust 95.70% Shell 3.64% Dockerfile 0.58% Makefile 0.08%

rust sniffer pcap network sandboxed

sniffglue's Introduction

sniffglue

sniffglue is a network sniffer written in rust. Network packets are parsed concurrently using a thread pool to utilize all cpu cores. Project goals are that you can run sniffglue securely on untrusted networks and that it must not crash when processing packets. The output should be as useful as possible by default.

Usage

# sniff with default filters (dhcp, dns, tls, http)
sniffglue enp0s25
# increase the filter sensitivity (arp)
sniffglue -v enp0s25
# increase the filter sensitivity (cjdns, ssdp, dropbox, packets with valid utf8)
sniffglue -vv enp0s25
# almost everything
sniffglue -vvv enp0s25
# everything
sniffglue -vvvv enp0s25

Installation

Arch Linux

pacman -S sniffglue

Mac OSX

brew install sniffglue

Debian/Ubuntu/Kali

First included in debian bullseye, ubuntu 21.04.

apt install sniffglue

Alpine

apk add sniffglue

Gentoo

layman -a pentoo
emerge --ask net-analyzer/sniffglue

NixOS

nix-env -i sniffglue

GNU Guix

guix install sniffglue

Fedora/RHEL/CentOS/CentOS Stream

dnf copr enable atim/sniffglue -y
dnf install sniffglue

From source

To build from source make sure you have libpcap and libseccomp installed. On debian based systems:

# install the dependencies
sudo apt install libpcap-dev libseccomp-dev
# install rust with rustup
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
# install sniffglue and test it
cargo install sniffglue
sniffglue --help

Or you can build a Debian package via cargo-deb:

cargo deb

Protocols

Docker

You can build sniffglue as a docker image to debug container setups. The image is currently about 11.1MB. It is recommended to push it to your own registry.

docker build -t sniffglue .
docker run -it --init --rm --net=host sniffglue eth0

Building documentation

scdoc < docs/sniffglue.1.scd > docs/sniffglue.1

Security

To report a security issue please contact kpcyrd on ircs://irc.hackint.org.

Seccomp

To ensure a compromised process doesn't compromise the system, sniffglue uses seccomp to restrict the syscalls that can be used after the process started. This is done in two stages, first at the very beginning (directly after env_logger initialized) and once after the sniffer has been setup, but before packets are read from the network.

Hardening

During the second stage, there's also some general hardening that is applied before all unneeded syscalls are finally disabled. Those are system specific, so a configuration file is read from /etc/sniffglue.conf. This config file specifies an empty directory for chroot and an unprivileged account in user that is used to drop root privileges.

boxxy-rs

This project includes a small boxxy-rs based shell that can be used to explore the sandbox at various stages during and after initialization. This is also used by travis to ensure the sandbox actually blocks syscalls.

cargo run --example boxxy

Reproducible builds

This project is tested using reprotest. Currently the following variations are excluded:

-time - needed because the crates.io cert expires in the future
-domain_host - requires root for unshare(2) and has been excluded

Don't forget to install the build dependencies.

ci/reprotest.sh

Fuzzing

The packet processing of sniffglue can be fuzzed using cargo-fuzz. Everything you should need is provided in the fuzz/ directory that is distributed along with its source code. Please note that this program links to libpcap which is not included in the current fuzzing configuration.

cargo fuzz run read_packet

License

GPLv3+

sniffglue's People

Contributors

Stargazers

Watchers

Forkers

mrmaxmeier xtenex cloudxtreme maxsaxedesignsecurity jakuta-tech gopherj tempbottle sasqwatch kfabryczny idkwim 0ixit juan157 standthis duzhanyuan stjordanis rajivraj rainser zard777 pbutler6163 mapbased 0x6b7966 309746069 arryboom shengnian isgasho s3krit ghost-pep lkolbly stephaneworkspace cambricorp archey emmittpu dynamicdesignz j2ghz junknet 0proto vinhjaxt intrinsic-flow tuyendothanh atul9 kz9 samuelriesz quinn-yan pu55yf3r iiiusky debox103 flooflord valaisin 7e4 hartl3y94 stappersg securityanalysts yakiv-huryk curtainp felixonmars milkey-mouse shabbirhasan1 tang9527 run0nceex readall rodolfocdsantos tawawhite sunlewuyou shaddy1884 hongruixing ajunlonglive standardgalactic tim77 elvisramalho gelfand kaleb47 alanksorata martinfx jbelke playfloor mattjurenka mayhemheroes carlosjordandev icodein hxfjsw oxy-archive txhermit luwenpeng dim2dim iq-scm deplantec kursh anshu4sharma nc7s hahastrong apprenticeofender violetsakura777

sniffglue's Issues

I need more protocol packages

Is it possible to grab FTP, SMTP, Telnet, Socks, Telnet, POP3 packets, or what should I do to achieve them? thanks

BPF filtering?

Does it support bpf filters?

issues in bench.rs

While getting the autopkgtest working in the Debian package I ran into some issues in bench.rs

Firstly IPv4Protocol has been renamed to IPProtocol
and moved to pktparse::ip as part of adding ipv6
support to pktparse.
bestouff/pktparse-rs@ebb468a

Secondly centrifuge::parse was renamed to centrifuge::parse_eth in
2bf3785

Fixes are at https://salsa.debian.org/rust-team/debcargo-conf/-/blob/master/src/sniffglue/debian/patches/fix-bench.patch

Display tcp flags

It's currently not possible to see the tcp flags, like SYN/ACK/RST etc, this is very limiting in some debugging usecases and they should be displayed in the output.

Simple filtering rules

It's currently not possible to filter traffic besides verbosity levels and grepping on the output.

There should be at least a simple filter engine similar to tcpdump:

src/dest ip
src/dest port
a specific protocol

This could also abort parsing early, so if the filter didn't match we don't have to decode the upper layers anymore.

Fails to compile on FreeBSD

Hi,
i compiled last version from master but i have issues with pcap library with cargo build

error: linking with `cc` failed: exit status: 1
|
 = note: "cc" "-m64" "-Wl,--eh-frame-hdr" "-Wl,-znoexecstack" "-Wl,--as-needed" "-L" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/sniffglue-3b5ddd55e66c3ff9.sniffglue.199zzf55-cgu.0.rcgu.o" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/sniffglue-3b5ddd55e66c3ff9.sniffglue.199zzf55-cgu.1.rcgu.o" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/sniffglue-3b5ddd55e66c3ff9.sniffglue.199zzf55-cgu.10.rcgu.o" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/sniffglue-3b5ddd55e66c3ff9.sniffglue.199zzf55-cgu.11.rcgu.o" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/sniffglue-3b5ddd55e66c3ff9.sniffglue.199zzf55-cgu.12.rcgu.o" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/sniffglue-3b5ddd55e66c3ff9.sniffglue.199zzf55-cgu.13.rcgu.o" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/sniffglue-3b5ddd55e66c3ff9.sniffglue.199zzf55-cgu.14.rcgu.o" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/sniffglue-3b5ddd55e66c3ff9.sniffglue.199zzf55-cgu.15.rcgu.o" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/sniffglue-3b5ddd55e66c3ff9.sniffglue.199zzf55-cgu.2.rcgu.o" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/sniffglue-3b5ddd55e66c3ff9.sniffglue.199zzf55-cgu.3.rcgu.o" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/sniffglue-3b5ddd55e66c3ff9.sniffglue.199zzf55-cgu.4.rcgu.o" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/sniffglue-3b5ddd55e66c3ff9.sniffglue.199zzf55-cgu.5.rcgu.o" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/sniffglue-3b5ddd55e66c3ff9.sniffglue.199zzf55-cgu.6.rcgu.o" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/sniffglue-3b5ddd55e66c3ff9.sniffglue.199zzf55-cgu.7.rcgu.o" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/sniffglue-3b5ddd55e66c3ff9.sniffglue.199zzf55-cgu.8.rcgu.o" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/sniffglue-3b5ddd55e66c3ff9.sniffglue.199zzf55-cgu.9.rcgu.o" "-o" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/sniffglue-3b5ddd55e66c3ff9" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/sniffglue-3b5ddd55e66c3ff9.2vu11454cf0imu7h.rcgu.o" "-Wl,--gc-sections" "-pie" "-Wl,-zrelro" "-Wl,-znow" "-nodefaultlibs" "-L" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps" "-L" "/usr/lib" "-L" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib" "-Wl,-Bstatic" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libnum_cpus-639657f3193f6ea4.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libsniffglue-bf1eb365f3317f48.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libpcap_sys-21470a2bbf6780f1.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libbase64-f088c95b91f1fa96.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libusers-8e3f5640944461f1.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libtoml-2bc04a3634e1ddf4.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libdirs_next-0457238c4bf4f499.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libdirs_sys_next-c3a3bf12a7d35504.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libserde_json-3ae60cb4dc81e2dd.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libitoa-a2d0520580a7e55e.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libdns_parser-f6119bce0da170e6.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libquick_error-48a3b455b21f259b.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libbyteorder-6af6ff36306c647b.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libnix-3f0c67acff9f50d4.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libmemoffset-9a6fa1a51e0f4d9e.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libanyhow-fb7838929ab67b5b.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libtls_parser-14780e84989bd7dc.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libphf-15e890e202e822cc.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libphf_shared-da38f24dcb395d81.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libsiphasher-4109af6f86bf27d9.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libenum_primitive-ffd6025359d71ba8.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libnum_traits-6682e42ef240bf12.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/librusticata_macros-22fe164abc9b5b0b.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libdhcp4r-91e266b0ad5e4bdd.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libnom-6a596f739df36458.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/liblexical_core-d8989d57e03d1712.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libryu-64dce06faff9177b.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libstatic_assertions-1cf41601918d89dc.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libarrayvec-88a110529c9083fc.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libbitvec-f2401cec1d306498.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libfunty-55f994380efe41c5.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libwyz-149bb82812acce89.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libtap-dd207f7ce21663a9.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libradium-953be313d1a9dc2b.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libnum_traits-f09ed6493013efb2.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libenv_logger-81f824e4c9058204.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libtermcolor-3537322170adc5a5.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libhumantime-6e983d77d498d5ea.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/liblog-d2dab3a6ca052573.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libregex-776e11026c6184d6.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libaho_corasick-76f2cdd78a01d9c2.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libregex_syntax-cc34ad437ed2329b.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libpktparse-b305ab18af25786d.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libserde-40b54b7fb125bf41.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libnom-d8c565038a4d718d.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libminimal_lexical-c278fbf4782ca2f6.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libsha2-f49ea05dd23f6c63.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libcpufeatures-cab6d3d94bb598d4.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libcfg_if-23cb98e16ba5841d.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libopaque_debug-224dfe0b90175c44.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libdigest-85b9bcd5f986e3e1.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libblock_buffer-3573700c45fc367f.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libgeneric_array-76e370859aadfbab.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libtypenum-4db9a3482fc44427.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libreduce-e7a79a63611e94f5.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libbstr-8204b148110efbba.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libregex_automata-94540d315e7aec16.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libmemchr-2837751a30202fcb.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libansi_term-0b75e44c061c2ef1.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libstructopt-29596c91e2827dc2.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/liblazy_static-b8135df487646045.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libclap-3c319a3f938bf655.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libvec_map-07ba8c61b75c000d.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libtextwrap-93c08dd71e827c49.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libunicode_width-4b893a81a089af3b.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libstrsim-e355c483d783f5b9.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libbitflags-2a3c73b01af5e903.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libatty-8349e9daad0087a0.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/liblibc-d66410fb2703b7e5.rlib" "/usr/home/maxfx/Documents/sniffglue/target/debug/deps/libansi_term-67062a840ec62e67.rlib" "-Wl,--start-group" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib/libstd-60484778edbab02a.rlib" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib/libpanic_unwind-dc2ae4d0a466e49f.rlib" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib/libminiz_oxide-4ffdbfe2ec17bf17.rlib" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib/libadler-c0c35bf5c8faaa12.rlib" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib/libobject-2f585d565898c512.rlib" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib/libaddr2line-c4981ba22728774a.rlib" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib/libgimli-53f3ea5ca1698b2e.rlib" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib/libstd_detect-ca404df982551ee0.rlib" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib/librustc_demangle-6cc518f71c9c2316.rlib" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib/libhashbrown-df5cfc7c9e693ffe.rlib" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib/librustc_std_workspace_alloc-05242e744576510b.rlib" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib/libunwind-9845119b8b6a2916.rlib" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib/libcfg_if-6c8ff242046b1c52.rlib" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib/liblibc-85760c759f190965.rlib" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib/liballoc-3a190eca975ddd7e.rlib" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib/librustc_std_workspace_core-7525106f2a6b24a2.rlib" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib/libcore-4ee7510cd643b335.rlib" "-Wl,--end-group" "/usr/local/lib/rustlib/x86_64-unknown-freebsd/lib/libcompiler_builtins-46641b4a03e19e40.rlib" "-Wl,-Bdynamic" "-lrt" "-lutil" "-lexecinfo" "-lutil" "-lprocstat" "-lexecinfo" "-lpthread" "-lgcc_s" "-lc" "-lm" "-lrt" "-lpthread" "-lrt" "-lutil" "-lutil"
 = note: ld: error: undefined symbol: pcap_create
         >>> referenced by sniff.rs:17 (src/sniff.rs:17)
         >>>               sniffglue-bf1eb365f3317f48.sniffglue.9mn4iqw5-cgu.13.rcgu.o:(sniffglue::sniff::open::h282e1377d6a42fc2) in archive /usr/home/maxfx/Documents/sniffglue/target/debug/deps/libsniffglue-bf1eb365f3317f48.rlib
         
         ld: error: undefined symbol: pcap_set_promisc
         >>> referenced by sniff.rs:25 (src/sniff.rs:25)
         >>>               sniffglue-bf1eb365f3317f48.sniffglue.9mn4iqw5-cgu.13.rcgu.o:(sniffglue::sniff::open::h282e1377d6a42fc2) in archive /usr/home/maxfx/Documents/sniffglue/target/debug/deps/libsniffglue-bf1eb365f3317f48.rlib
         
         ld: error: undefined symbol: pcap_set_immediate_mode
         >>> referenced by sniff.rs:29 (src/sniff.rs:29)
         >>>               sniffglue-bf1eb365f3317f48.sniffglue.9mn4iqw5-cgu.13.rcgu.o:(sniffglue::sniff::open::h282e1377d6a42fc2) in archive /usr/home/maxfx/Documents/sniffglue/target/debug/deps/libsniffglue-bf1eb365f3317f48.rlib
         
         ld: error: undefined symbol: pcap_activate
         >>> referenced by sniff.rs:32 (src/sniff.rs:32)
         >>>               sniffglue-bf1eb365f3317f48.sniffglue.9mn4iqw5-cgu.13.rcgu.o:(sniffglue::sniff::open::h282e1377d6a42fc2) in archive /usr/home/maxfx/Documents/sniffglue/target/debug/deps/libsniffglue-bf1eb365f3317f48.rlib
         
         ld: error: undefined symbol: pcap_geterr
         >>> referenced by sniff.rs:34 (src/sniff.rs:34)
         >>>               sniffglue-bf1eb365f3317f48.sniffglue.9mn4iqw5-cgu.13.rcgu.o:(sniffglue::sniff::open::h282e1377d6a42fc2) in archive /usr/home/maxfx/Documents/sniffglue/target/debug/deps/libsniffglue-bf1eb365f3317f48.rlib
         
         ld: error: undefined symbol: pcap_open_offline
         >>> referenced by sniff.rs:47 (src/sniff.rs:47)
         >>>               sniffglue-bf1eb365f3317f48.sniffglue.9mn4iqw5-cgu.13.rcgu.o:(sniffglue::sniff::open_file::h6b536c1658bb4bce) in archive /usr/home/maxfx/Documents/sniffglue/target/debug/deps/libsniffglue-bf1eb365f3317f48.rlib
         
         ld: error: undefined symbol: pcap_lookupdev
         >>> referenced by sniff.rs:62 (src/sniff.rs:62)
         >>>               sniffglue-bf1eb365f3317f48.sniffglue.9mn4iqw5-cgu.13.rcgu.o:(sniffglue::sniff::default_interface::h5f81dc2051d01a41) in archive /usr/home/maxfx/Documents/sniffglue/target/debug/deps/libsniffglue-bf1eb365f3317f48.rlib
         
         ld: error: undefined symbol: pcap_datalink
         >>> referenced by sniff.rs:74 (src/sniff.rs:74)
         >>>               sniffglue-bf1eb365f3317f48.sniffglue.9mn4iqw5-cgu.13.rcgu.o:(sniffglue::sniff::Cap::datalink::h56ac48274576ae37) in archive /usr/home/maxfx/Documents/sniffglue/target/debug/deps/libsniffglue-bf1eb365f3317f48.rlib
         
         ld: error: undefined symbol: pcap_next_ex
         >>> referenced by sniff.rs:83 (src/sniff.rs:83)
         >>>               sniffglue-bf1eb365f3317f48.sniffglue.9mn4iqw5-cgu.13.rcgu.o:(sniffglue::sniff::Cap::next_pkt::h791983a6c409863f) in archive /usr/home/maxfx/Documents/sniffglue/target/debug/deps/libsniffglue-bf1eb365f3317f48.rlib
         
         ld: error: undefined symbol: pcap_close
         >>> referenced by sniff.rs:106 (src/sniff.rs:106)
         >>>               sniffglue-bf1eb365f3317f48.sniffglue.9mn4iqw5-cgu.13.rcgu.o:(_$LT$sniffglue..sniff..Cap$u20$as$u20$core..ops..drop..Drop$GT$::drop::h99b326b0cef8db1a) in archive /usr/home/maxfx/Documents/sniffglue/target/debug/deps/libsniffglue-bf1eb365f3317f48.rlib
         cc: error: linker command failed with exit code 1 (use -v to see invocation)
         

error: aborting due to previous error

error: could not compile `sniffglue`

compile fail 0.16.0 could not find `NestedMeta` in `syn` on FreeBSD

Hi,
i tried compile version 0.16.0

   Compiling nom-derive-impl v0.10.0
     Running `CARGO=/usr/local/bin/cargo CARGO_CRATE_NAME=nom_derive_impl CARGO_MANIFEST_DIR=/media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/sniffglue-0.16.0/cargo-crates/nom-derive-impl-0.10.0 CARGO_PKG_AUTHORS='Pierre Chifflier <[email protected]>' CARGO_PKG_DESCRIPTION='Custom derive nom parsers from struct' CARGO_PKG_HOMEPAGE='https://github.com/rust-bakery/nom-derive' CARGO_PKG_LICENSE=MIT/Apache-2.0 CARGO_PKG_LICENSE_FILE='' CARGO_PKG_NAME=nom-derive-impl CARGO_PKG_README=../README.md CARGO_PKG_REPOSITORY='https://github.com/rust-bakery/nom-derive.git' CARGO_PKG_RUST_VERSION='' CARGO_PKG_VERSION=0.10.0 CARGO_PKG_VERSION_MAJOR=0 CARGO_PKG_VERSION_MINOR=10 CARGO_PKG_VERSION_PATCH=0 CARGO_PKG_VERSION_PRE='' LD_LIBRARY_PATH='/media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/target/debug/deps:/usr/local/lib' /usr/local/bin/rustc --crate-name nom_derive_impl --edition=2018 /media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/sniffglue-0.16.0/cargo-crates/nom-derive-impl-0.10.0/src/lib.rs --error-format=json --json=diagnostic-rendered-ansi,artifacts,future-incompat --diagnostic-width=238 --crate-type proc-macro --emit=dep-info,link -C prefer-dynamic -C embed-bitcode=no -C debuginfo=2 -C metadata=73bf112996690947 -C extra-filename=-73bf112996690947 --out-dir /media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/target/debug/deps -C linker=clang15 -L dependency=/media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/target/debug/deps --extern proc_macro2=/media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/target/debug/deps/libproc_macro2-cc45d2137bcd54f6.rlib --extern quote=/media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/target/debug/deps/libquote-b4143c495ec148cf.rlib --extern syn=/media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/target/debug/deps/libsyn-c64f97925951f4c1.rlib --extern proc_macro --cap-lints warn`
error[E0433]: failed to resolve: could not find `NestedMeta` in `syn`
  --> /media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/sniffglue-0.16.0/cargo-crates/nom-derive-impl-0.10.0/src/enums.rs:70:42
   |
70 | ...                   syn::NestedMeta::Meta(meta) => match meta {
   |                            ^^^^^^^^^^ could not find `NestedMeta` in `syn`

error[E0277]: the trait bound `MetaAttr: ToTokens` is not satisfied
   --> /media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/sniffglue-0.16.0/cargo-crates/nom-derive-impl-0.10.0/src/meta/attr.rs:219:18
    |
219 | impl Spanned for MetaAttr {
    |                  ^^^^^^^^ the trait `ToTokens` is not implemented for `MetaAttr`
    |
    = help: the following other types implement trait `ToTokens`:
              bool
              char
              isize
              i8
              i16
              i32
              i64
              i128
            and 303 others
    = note: required for `MetaAttr` to implement `quote::spanned::Spanned`
    = note: required for `MetaAttr` to implement `syn::spanned::private::Sealed`
note: required by a bound in `syn::spanned::Spanned`
   --> /media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/sniffglue-0.16.0/cargo-crates/syn-2.0.8/src/spanned.rs:96:20
    |
96  | pub trait Spanned: private::Sealed {
    |                    ^^^^^^^^^^^^^^^ required by this bound in `Spanned`
    = note: `Spanned` is a "sealed trait", because to implement it you also need to implement `syn::spanned::private::Sealed`, which is not accessible; this is usually done to force you to use one of the provided types that already implement it
    = help: the following type implements the trait:
              T

error[E0433]: failed to resolve: use of undeclared type `LifetimeDef`
   --> /media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/sniffglue-0.16.0/cargo-crates/nom-derive-impl-0.10.0/src/gen/generator.rs:145:42
    |
145 |             .push(GenericParam::Lifetime(LifetimeDef::new(lft.clone())));
    |                                          ^^^^^^^^^^^
    |                                          |
    |                                          use of undeclared type `LifetimeDef`
    |                                          help: a struct with a similar name exists: `Lifetime`

Some errors have detailed explanations: E0277, E0433.
For more information about an error, try `rustc --explain E0277`.
error: could not compile `nom-derive-impl` (lib) due to 3 previous errors

Caused by:
  process didn't exit successfully: `CARGO=/usr/local/bin/cargo CARGO_CRATE_NAME=nom_derive_impl CARGO_MANIFEST_DIR=/media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/sniffglue-0.16.0/cargo-crates/nom-derive-impl-0.10.0 CARGO_PKG_AUTHORS='Pierre Chifflier <[email protected]>' CARGO_PKG_DESCRIPTION='Custom derive nom parsers from struct' CARGO_PKG_HOMEPAGE='https://github.com/rust-bakery/nom-derive' CARGO_PKG_LICENSE=MIT/Apache-2.0 CARGO_PKG_LICENSE_FILE='' CARGO_PKG_NAME=nom-derive-impl CARGO_PKG_README=../README.md CARGO_PKG_REPOSITORY='https://github.com/rust-bakery/nom-derive.git' CARGO_PKG_RUST_VERSION='' CARGO_PKG_VERSION=0.10.0 CARGO_PKG_VERSION_MAJOR=0 CARGO_PKG_VERSION_MINOR=10 CARGO_PKG_VERSION_PATCH=0 CARGO_PKG_VERSION_PRE='' LD_LIBRARY_PATH='/media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/target/debug/deps:/usr/local/lib' /usr/local/bin/rustc --crate-name nom_derive_impl --edition=2018 /media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/sniffglue-0.16.0/cargo-crates/nom-derive-impl-0.10.0/src/lib.rs --error-format=json --json=diagnostic-rendered-ansi,artifacts,future-incompat --diagnostic-width=238 --crate-type proc-macro --emit=dep-info,link -C prefer-dynamic -C embed-bitcode=no -C debuginfo=2 -C metadata=73bf112996690947 -C extra-filename=-73bf112996690947 --out-dir /media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/target/debug/deps -C linker=clang15 -L dependency=/media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/target/debug/deps --extern proc_macro2=/media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/target/debug/deps/libproc_macro2-cc45d2137bcd54f6.rlib --extern quote=/media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/target/debug/deps/libquote-b4143c495ec148cf.rlib --extern syn=/media/ST3000DM007-1WY10G_ZTT0SM4Q_p1/code/FreeBSD-Ports/sniffglue/work/target/debug/deps/libsyn-c64f97925951f4c1.rlib --extern proc_macro --cap-lints warn` (exit status: 1)
*** Error code 101

Failed to activate interface: BIOCSETIF failed: Device not configured

Hi @kpcyrd I just came across the project and wanted to try it out on my local network.
Invocation of sniffglue ... enp0s25 with all verbose levels results in the same outcome.

% sudo sniffglue -vvvv enp0s25
Error: Failed to activate interface: BIOCSETIF failed: Device not configured

I am not sure how to configure the BIOCSETIF ioctl.

macOS Catalina
Version 10.15.7

Do you have any ideas? Thank you

Investigate reproducible builds

The binary currently differs for two builds of the same commit on different systems, this might need investigation.

Bump tls-parser dependency

tls-parser has a more recent version that uses nom3, but we need to add nom3 support to all other dependencies first.

Fails to compile on Ubuntu 18.04

Hello,

A git checkout v0.10.1 fails to build with cargo build --release. cargo build succeeds. libpcap-dev and libseccomp-dev are installed. Here is the error:

sniffglue.dnmhg9ku-cgu.10:(.text._ZN9sniffglue5sniff4open17hb8e84e2e0b7f71bfE+0xe8): undefined reference to pcap_create' sniffglue.dnmhg9ku-cgu.10:(.text._ZN9sniffglue5sniff4open17hb8e84e2e0b7f71bfE+0x109): undefined reference to pcap_set_promisc'
sniffglue.dnmhg9ku-cgu.10:(.text._ZN9sniffglue5sniff4open17hb8e84e2e0b7f71bfE+0x11e): undefined reference to pcap_set_immediate_mode' sniffglue.dnmhg9ku-cgu.10:(.text._ZN9sniffglue5sniff4open17hb8e84e2e0b7f71bfE+0x127): undefined reference to pcap_activate'
sniffglue.dnmhg9ku-cgu.10:(.text._ZN9sniffglue5sniff4open17hb8e84e2e0b7f71bfE+0x138): undefined reference to pcap_geterr' /home/josh/Projects/sniffglue/target/release/deps/libsniffglue-c5fa3a636927f4ab.rlib(sniffglue-c5fa3a636927f4ab.sniffglue.dnmhg9ku-cgu.10.rcgu.o): In function sniffglue::sniff::open_file':
sniffglue.dnmhg9ku-cgu.10:(.text._ZN9sniffglue5sniff9open_file17h283fbc9cc6b717a9E+0xe2): undefined reference to pcap_open_offline' /home/josh/Projects/sniffglue/target/release/deps/libsniffglue-c5fa3a636927f4ab.rlib(sniffglue-c5fa3a636927f4ab.sniffglue.dnmhg9ku-cgu.10.rcgu.o): In function sniffglue::sniff::default_interface':
sniffglue.dnmhg9ku-cgu.10:(.text._ZN9sniffglue5sniff17default_interface17h845f99d15545b423E+0x9c): undefined reference to pcap_lookupdev' /home/josh/Projects/sniffglue/target/release/deps/libsniffglue-c5fa3a636927f4ab.rlib(sniffglue-c5fa3a636927f4ab.sniffglue.dnmhg9ku-cgu.10.rcgu.o): In function sniffglue::sniff::Cap::datalink':
sniffglue.dnmhg9ku-cgu.10:(.text._ZN9sniffglue5sniff3Cap8datalink17h5645d7000768c5a4E+0x5): undefined reference to pcap_datalink' /home/josh/Projects/sniffglue/target/release/deps/libsniffglue-c5fa3a636927f4ab.rlib(sniffglue-c5fa3a636927f4ab.sniffglue.dnmhg9ku-cgu.10.rcgu.o): In function sniffglue::sniff::Cap::next':
sniffglue.dnmhg9ku-cgu.10:(.text._ZN9sniffglue5sniff3Cap4next17hd3bdc1a1d5f3cdc7E+0x1b): undefined reference to pcap_next_ex' /home/josh/Projects/sniffglue/target/release/deps/libsniffglue-c5fa3a636927f4ab.rlib(sniffglue-c5fa3a636927f4ab.sniffglue.dnmhg9ku-cgu.10.rcgu.o): In function <sniffglue::sniff::Cap as core::ops::drop::Drop>::drop':
sniffglue.dnmhg9ku-cgu.10:(.text.ZN63$LT$sniffglue..sniff..Cap$u20$as$u20$core..ops..drop..Drop$GT$4drop17hdb74488eeb23f80cE+0x5): undefined reference to `pcap_close'
collect2: error: ld returned 1 exit status

Should have an option to dump captured packets as `.pcap` file

It's nice to see a threaded packet sniffer with seccomp. But it seems to lack a possibility to dump the captured packets onto disk.

Is this something on the roadmap? Or totally out of scope? Or already there and just not documented?

Error: Unknown link type: 0

Hi, can I please ask if I can write processing pcap traffic files in windows using sniffglue.

BTW, I've encountered a lot of files with Error: Unknown link type: 0, I'm not sure what's going on, I've searched issues and no one seems to be in the same situation as me.

Here are the traffic packages with the problem:
Desktop.zip

Document verbosity levels

Right now a user has to figure out the verbosity levels with try and error or by reading the source code. There should be a table in the man page for this.

Try more packets as tls client-hello

We currently only try to decode packets to port :443 as server hello. This means we rate tls hello packets on other port as binary.

libpcap error: socket: Operation not permitted

Hello, when I run sniffglue like in README.md

sniffglue `ip addr | awk '/state UP/ {print $2}' | sed 's/.$//'`

I got an error:

Failed to open interface "xxxx": libpcap error: socket: Operation not permitted

I have to use :

sudo `which sniffglue`  `ip addr | awk '/state UP/ {print $2}' | sed 's/.$//'`

Do I need to run as root every time?

Exits for no reason by itself when listening on `lo` or `any`.

Hi,

while trying out sniffglue (at version 0.15.0 on Debian GNU/Linux Unstable, package version 0.15.0-7), I noticed that, when using either the interface lo (local loopback device) or the virtual interface any (i.e. sniff on on all interfaces), it outputs a bunch of packets and then exits (even with exit code 0, so not a crash?) for no obvious reason reproducibly after a seemingly random number of packets (so far I've counted 28, 49, 106 and 116 using sniffglue lo | wc -l).

So far, when I used it on any, it also only showed packets from the lo interface before it exited. But that might have been just chance.

Is the project name an intentional reference to recreational inhalation of toluene vapours (toluene is a component of some glues)

IEEE 802.11 Support.

Hi, if anyone would be interested in implementing IEEE 802.11 support, just let me know in this thread. For a recent project of mine, I've developed a library for parsing wifi frames and I thought, this might help. PRs are always welcome on my side.

Installation on WSL fails to run

Hi,
first of all a BIG THANK YOU for sharing your work!
I'm trying to install sniffglue on WSL every thing goes well without any errors but when I want to run it have this error:

rbeen@------:~$ sudo .cargo/bin/sniffglue [sudo] password for rbeen: thread 'main' panicked at 'init sandbox stage1: Seccomp(Error { inner: "seccomp_load returned error" })', src/libcore/result.rs:999:5 note: Run with RUST_BACKTRACE=1 environment variable to display a backtrace. rbeen@------:~$

Can it be fixed?
Thanks in advance!
Best regards,

Rbeen

write to pcapfile

Add an option to write to pcap files.

[MacOS] Failed to activate interface

Description

Out of the box, running sniffglue with or without arguments on MacOS Monterey 12.6 returns the following error:

Error: Failed to activate interface: (cannot open BPF device) /dev/bpf0: Permission denied

Info

Failure appears to be originating here: https://github.com/kpcyrd/sniffglue/blob/main/src/sniff.rs#L36
sniffglue was installed via Homebrew
Docs for pcap_sys::pcap_activate() can be found here (they're blank)
It works if you run with sudo

Does it support any filter like wireshark or tcpdump?

e.g.: tcp.port == 80 || udp.port == 80

ppp support

Seems like ppp interfaces are not supported now:

$ sniffglue ppp0
Listening on device: "ppp0", verbosity 0/4
Error: Unknown link type: 113

Build failed on FreeBSD

Hi,
i am porting sniffglue to FreeBSD 13 but have issue with linker. I have default pcap library in /usr/lib/

e/work/target/x86_64-unknown-freebsd/release/deps/sniffglue-af1f7c1d0179cd7a" "-Wl,--gc-sections" "-pie" "-Wl,-zrelro,-znow" "-Wl,-O1" "-nodefaultlibs" "-fstack-protector-strong"
  = note: ld: error: undefined symbol: pcap_create
          >>> referenced by sniffglue.aa3ce2b3-cgu.12
          >>>               sniffglue-b7078bb5f15df165.sniffglue.aa3ce2b3-cgu.12.rcgu.o:(sniffglue::sniff::open::h9d191458254eeefa) in archive /wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libsniffglue-b7078bb5f15df165.rlib
          
          ld: error: undefined symbol: pcap_set_promisc
          >>> referenced by sniffglue.aa3ce2b3-cgu.12
          >>>               sniffglue-b7078bb5f15df165.sniffglue.aa3ce2b3-cgu.12.rcgu.o:(sniffglue::sniff::open::h9d191458254eeefa) in archive /wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libsniffglue-b7078bb5f15df165.rlib
          
          ld: error: undefined symbol: pcap_set_immediate_mode
          >>> referenced by sniffglue.aa3ce2b3-cgu.12
          >>>               sniffglue-b7078bb5f15df165.sniffglue.aa3ce2b3-cgu.12.rcgu.o:(sniffglue::sniff::open::h9d191458254eeefa) in archive /wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libsniffglue-b7078bb5f15df165.rlib
          
          ld: error: undefined symbol: pcap_activate
          >>> referenced by sniffglue.aa3ce2b3-cgu.12
          >>>               sniffglue-b7078bb5f15df165.sniffglue.aa3ce2b3-cgu.12.rcgu.o:(sniffglue::sniff::open::h9d191458254eeefa) in archive /wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libsniffglue-b7078bb5f15df165.rlib
          
          ld: error: undefined symbol: pcap_geterr
          >>> referenced by sniffglue.aa3ce2b3-cgu.12
          >>>               sniffglue-b7078bb5f15df165.sniffglue.aa3ce2b3-cgu.12.rcgu.o:(sniffglue::sniff::open::h9d191458254eeefa) in archive /wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libsniffglue-b7078bb5f15df165.rlib
          
          ld: error: undefined symbol: pcap_open_offline
          >>> referenced by sniffglue.aa3ce2b3-cgu.12
          >>>               sniffglue-b7078bb5f15df165.sniffglue.aa3ce2b3-cgu.12.rcgu.o:(sniffglue::sniff::open_file::h244c4e71acdc9f7c) in archive /wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libsniffglue-b7078bb5f15df165.rlib
          
          ld: error: undefined symbol: pcap_lookupdev
          >>> referenced by sniffglue.aa3ce2b3-cgu.12
          >>>               sniffglue-b7078bb5f15df165.sniffglue.aa3ce2b3-cgu.12.rcgu.o:(sniffglue::sniff::default_interface::he23480498e94270a) in archive /wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libsniffglue-b7078bb5f15df165.rlib
          
          ld: error: undefined symbol: pcap_datalink
          >>> referenced by sniffglue.aa3ce2b3-cgu.12
          >>>               sniffglue-b7078bb5f15df165.sniffglue.aa3ce2b3-cgu.12.rcgu.o:(sniffglue::sniff::Cap::datalink::h72364c637780cf57) in archive /wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libsniffglue-b7078bb5f15df165.rlib
          
          ld: error: undefined symbol: pcap_next_ex
          >>> referenced by sniffglue.aa3ce2b3-cgu.12
          >>>               sniffglue-b7078bb5f15df165.sniffglue.aa3ce2b3-cgu.12.rcgu.o:(sniffglue::sniff::Cap::next_pkt::h6e00dcf46819bfe4) in archive /wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libsniffglue-b7078bb5f15df165.rlib
          
          ld: error: undefined symbol: pcap_close
          >>> referenced by sniffglue.aa3ce2b3-cgu.12
          >>>               sniffglue-b7078bb5f15df165.sniffglue.aa3ce2b3-cgu.12.rcgu.o:(_$LT$sniffglue..sniff..Cap$u20$as$u20$core..ops..drop..Drop$GT$::drop::h15d2426d452514e8) in archive /wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libsniffglue-b7078bb5f15df165.rlib
          cc: error: linker command failed with exit code 1 (use -v to see invocation)
          

error: could not compile `sniffglue` due to previous error

Caused by:
  process didn't exit successfully: `CARGO=/usr/local/bin/cargo CARGO_BIN_NAME=sniffglue CARGO_CRATE_NAME=sniffglue CARGO_MANIFEST_DIR=/wrkdirs/usr/ports/devel/sniffglue/work/sniffglue-0.15.0 CARGO_PKG_AUTHORS='kpcyrd <[email protected]>' CARGO_PKG_DESCRIPTION='Secure multithreaded packet sniffer' CARGO_PKG_HOMEPAGE='' CARGO_PKG_LICENSE=GPL-3.0 CARGO_PKG_LICENSE_FILE='' CARGO_PKG_NAME=sniffglue CARGO_PKG_REPOSITORY='https://github.com/kpcyrd/sniffglue' CARGO_PKG_VERSION=0.15.0 CARGO_PKG_VERSION_MAJOR=0 CARGO_PKG_VERSION_MINOR=15 CARGO_PKG_VERSION_PATCH=0 CARGO_PKG_VERSION_PRE='' CARGO_PRIMARY_PACKAGE=1 LD_LIBRARY_PATH='/wrkdirs/usr/ports/devel/sniffglue/work/target/release/deps:/usr/local/lib' /usr/local/bin/rustc --crate-name sniffglue --edition=2018 src/main.rs --error-format=json --json=diagnostic-rendered-ansi --crate-type bin --emit=dep-info,link -C opt-level=2 -C embed-bitcode=no -C metadata=af1f7c1d0179cd7a -C extra-filename=-af1f7c1d0179cd7a --out-dir /wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps --target x86_64-unknown-freebsd -C linker=cc -L dependency=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps -L dependency=/wrkdirs/usr/ports/devel/sniffglue/work/target/release/deps --extern ansi_term=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libansi_term-2d1fb730bc962237.rlib --extern anyhow=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libanyhow-4cb8384e6e918bdd.rlib --extern atty=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libatty-eec43945c18dcfc4.rlib --extern base64=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libbase64-a118e9ad3391b037.rlib --extern bstr=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libbstr-c63d9240a61b6701.rlib --extern dhcp4r=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libdhcp4r-f93138e43de64715.rlib --extern dirs_next=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libdirs_next-9fb7419d96c41698.rlib --extern dns_parser=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libdns_parser-284a6e7f2862bde5.rlib --extern env_logger=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libenv_logger-924f03a86cb37e80.rlib --extern libc=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/liblibc-c0cac1b05d59e26a.rlib --extern log=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/liblog-63b073f5e7a6c5df.rlib --extern nix=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libnix-01c607906606c30a.rlib --extern nom=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libnom-f005dbd79a746dfa.rlib --extern num_cpus=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libnum_cpus-62b7676fa629119e.rlib --extern pcap_sys=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libpcap_sys-4be3fc960b6876c8.rlib --extern pktparse=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libpktparse-9a72259829c6233a.rlib --extern reduce=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libreduce-c73f8f7948c01f5e.rlib --extern serde=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libserde-15d42e0f481883f0.rlib --extern serde_derive=/wrkdirs/usr/ports/devel/sniffglue/work/target/release/deps/libserde_derive-0b490ee432686d8c.so --extern serde_json=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libserde_json-d0579b52f22d43b9.rlib --extern sha2=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libsha2-5876943b4e08c7e6.rlib --extern sniffglue=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libsniffglue-b7078bb5f15df165.rlib --extern structopt=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libstructopt-68a55774ab39285e.rlib --extern tls_parser=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libtls_parser-aa2109240878a5b6.rlib --extern toml=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libtoml-c9b406acce4f7d9f.rlib --extern users=/wrkdirs/usr/ports/devel/sniffglue/work/target/x86_64-unknown-freebsd/release/deps/libusers-08ecf72cc62afd7b.rlib -C link-arg=-fstack-protector-strong -L native=/usr/lib` (exit status: 1)
*** Error code 101

Replace pcap with pnet

This would both drop a C dependency we currently have with pure rust, and most likely also enable osx support.

This is currently blocked by libpnet/libpnet#331

Crash on Fedora 34 without `--insecure-disable-seccomp`

Hello there!

I recently tried sniffglue, which looks quite great. As it's not packaged on Fedora yet, I installed it with a simple cargo install sniffglue.

Unfortunately, without running it with the --insecure-disable-seccomp flag, it instantly crashes on my machine.
Here is a backtrace from the core dump:

(gdb) bt
#0  0x00007efdb5da4b8b in getpid () from /lib64/libc.so.6
#1  0x00007efdb5c15350 in generate_local_port () from /lib64/libnl-3.so.200
#2  0x00007efdb5c1ff86 in nl_connect () from /lib64/libnl-3.so.200
#3  0x00007efdb5ccb4fb in find_sysfs_devs_nl () from /lib64/libibverbs.so.1
#4  0x00007efdb5cc916d in ibv_get_device_list () from /lib64/libibverbs.so.1
#5  0x00007efdb6067580 in rdmasniff_findalldevs () from /lib64/libpcap.so.1
#6  0x00007efdb6067c39 in pcap_findalldevs () from /lib64/libpcap.so.1
#7  0x00007efdb6068267 in pcap_lookupdev () from /lib64/libpcap.so.1
#8  0x000055c01c3d19f2 in sniffglue::sniff::default_interface () at src/sniff.rs:62
#9  0x000055c01c35ad52 in sniffglue::main () at src/main.rs:34

Indeed, once in seccomp mode, it seems legit not to be able to call getpid()... As to why libnl-3 ends up here, that will have to remain a mystery to me for tonight...

Do you need anything more? I probably won't be able to dig that further, as I have basically no idea of what's going on, but I can help test some stuff.

Fails to compile via cargo install sniffglue

On MacOS and Ubuntu, the same error preventing installation while running "cargo install sniffglue"

Dell-3:~$ cargo install sniffglue
Updating crates.io index
Installing sniffglue v0.9.0
Compiling libc v0.2.58
Compiling autocfg v0.1.4
Compiling rand_core v0.4.0
Compiling siphasher v0.2.3
Compiling proc-macro2 v0.4.30
Compiling memchr v2.2.0
Compiling unicode-xid v0.1.0
Compiling typenum v1.10.0
Compiling version_check v0.1.5
Compiling byteorder v1.3.2
Compiling bitflags v1.1.0
Compiling syn v0.15.38
Compiling regex v1.1.7
Compiling unicode-width v0.1.5
Compiling ryu v0.2.8
Compiling ucd-util v0.1.3
Compiling unicode-segmentation v1.3.0
Compiling serde v1.0.93
Compiling lazy_static v1.3.0
Compiling byte-tools v0.3.1
Compiling pcap v0.7.0
Compiling strsim v0.8.0
Compiling vec_map v0.8.1
Compiling quick-error v1.2.2
Compiling nix v0.14.1
Compiling cfg-if v0.1.9
Compiling utf8-ranges v1.0.3
Compiling ansi_term v0.11.0
Compiling termcolor v1.0.5
Compiling void v1.0.2
Compiling itoa v0.4.4
Compiling opaque-debug v0.2.2
Compiling fake-simd v0.1.2
Compiling cookie-factory v0.2.4
Compiling reduce v0.1.2
Compiling phf_shared v0.7.24
Compiling rand_core v0.3.1
Compiling rand_chacha v0.1.1
Compiling rand_pcg v0.1.2
Compiling rand v0.6.5
Compiling num-traits v0.2.8
Compiling nom v4.2.3
Compiling textwrap v0.11.0
Compiling regex-syntax v0.6.7
Compiling block-padding v0.1.4
Compiling thread_local v0.3.6
Compiling humantime v1.2.0
Compiling log v0.4.6
Compiling heck v0.3.1
Compiling rand_hc v0.1.0
Compiling rand_isaac v0.1.1
Compiling rand_xorshift v0.1.1
Compiling phf v0.7.24
Compiling rand_os v0.1.3
Compiling rand_jitter v0.1.4
Compiling atty v0.2.11
Compiling time v0.1.42
Compiling dirs-sys v0.3.3
Compiling num_cpus v1.10.1
Compiling users v0.9.1
Compiling aho-corasick v0.7.3
Compiling dns-parser v0.8.0
Compiling base64 v0.10.1
Compiling clap v2.33.0
Compiling generic-array v0.12.0
Compiling threadpool v1.7.1
Compiling dirs v2.0.1
Compiling quote v0.6.12
Compiling dhcp4r v0.1.0
Compiling rusticata-macros v1.1.0
Compiling num-traits v0.1.43
Compiling digest v0.8.0
Compiling block-buffer v0.7.3
Compiling enum_primitive v0.1.1
Compiling sha2 v0.8.0
Compiling toml v0.5.1
Compiling serde_json v1.0.39
Compiling phf_generator v0.7.24
Compiling phf_codegen v0.7.24
Compiling tls-parser v0.7.1
Compiling env_logger v0.6.1
Compiling structopt-derive v0.2.16
Compiling serde_derive v1.0.93
Compiling structopt v0.2.16
Compiling pktparse v0.4.0
Compiling sniffglue v0.9.0
error[E0432]: unresolved imports nix::unistd::getgroups, nix::unistd::setgroups
--> /Users/skickar/.cargo/registry/src/github.com-1ecc6299db9ec823/sniffglue-0.9.0/src/sandbox/mod.rs:7:45
|
7 | use nix::unistd::{Uid, Gid, setuid, setgid, getgroups, setgroups};
| ^^^^^^^^^ ^^^^^^^^^ no setgroups in unistd
| |
| no getgroups in unistd

error[E0432]: unresolved import syscallz
--> /Users/skickar/.cargo/registry/src/github.com-1ecc6299db9ec823/sniffglue-0.9.0/src/sandbox/error.rs:3:5
|
3 | use syscallz;
| ^^^^^^^^ no syscallz in the root

error[E0119]: conflicting implementations of trait std::convert::From<[type error]> for type sandbox::error::Error:
--> /Users/skickar/.cargo/registry/src/github.com-1ecc6299db9ec823/sniffglue-0.9.0/src/sandbox/error.rs:23:1
|
17 | impl Fromsyscallz::Error for Error {
| ------------------------------------ first implementation here
...
23 | impl Fromconfig::Error for Error {
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ conflicting implementation for sandbox::error::Error

error[E0119]: conflicting implementations of trait std::convert::From<[type error]> for type sandbox::error::Error:
--> /Users/skickar/.cargo/registry/src/github.com-1ecc6299db9ec823/sniffglue-0.9.0/src/sandbox/error.rs:29:1
|
17 | impl Fromsyscallz::Error for Error {
| ------------------------------------ first implementation here
...
29 | impl Fromnix::Error for Error {
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ conflicting implementation for sandbox::error::Error

error[E0119]: conflicting implementations of trait std::convert::From<[type error]> for type sandbox::error::Error:
--> /Users/skickar/.cargo/registry/src/github.com-1ecc6299db9ec823/sniffglue-0.9.0/src/sandbox/error.rs:35:1
|
17 | impl Fromsyscallz::Error for Error {
| ------------------------------------ first implementation here
...
35 | impl Fromstd::io::Error for Error {
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ conflicting implementation for sandbox::error::Error

error: aborting due to 5 previous errors

Some errors occurred: E0119, E0432.
For more information about an error, try rustc --explain E0119.
error: failed to compile sniffglue v0.9.0, intermediate artifacts can be found at /var/folders/n1/l_2ynlx91lv57t122lq8lkyh0000gn/T/cargo-installe89ORx

Caused by:
Could not compile sniffglue.

Fuzzing: panic in dhcp4r, index 240 out of range

$ RUST_BACKTRACE=1 cargo run --example read_packet 'CgoAAP//QDj//wAACAAKCgAAAAAAGRERERERNScAAAoACgBDAEQ1NTU1JwAACgAKAAD//wA4//8AAAgACgo='
    Finished dev [unoptimized + debuginfo] target(s) in 0.0 secs
     Running `target/debug/examples/read_packet CgoAAP//QDj//wAACAAKCgAAAAAAGRERERERNScAAAoACgBDAEQ1NTU1JwAACgAKAAD//wA4//8AAAgACgo=`
[10, 10, 0, 0, 255, 255, 64, 56, 255, 255, 0, 0, 8, 0, 10, 10, 0, 0, 0, 0, 0, 25, 17, 17, 17, 17, 17, 53, 39, 0, 0, 10, 0, 10, 0, 67, 0, 68, 53, 53, 53, 53, 39, 0, 0, 10, 0, 10, 0, 0, 255, 255, 0, 56, 255, 255, 0, 0, 8, 0, 10, 10]
thread 'main' panicked at 'index 240 out of range for slice of length 20', /checkout/src/libcore/slice/mod.rs:748:4
stack backtrace:
   0: std::sys::imp::backtrace::tracing::imp::unwind_backtrace
             at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1: std::sys_common::backtrace::_print
             at /checkout/src/libstd/sys_common/backtrace.rs:71
   2: std::panicking::default_hook::{{closure}}
             at /checkout/src/libstd/sys_common/backtrace.rs:60
             at /checkout/src/libstd/panicking.rs:381
   3: std::panicking::default_hook
             at /checkout/src/libstd/panicking.rs:397
   4: std::panicking::rust_panic_with_hook
             at /checkout/src/libstd/panicking.rs:611
   5: std::panicking::begin_panic
             at /checkout/src/libstd/panicking.rs:572
   6: std::panicking::begin_panic_fmt
             at /checkout/src/libstd/panicking.rs:522
   7: rust_begin_unwind
             at /checkout/src/libstd/panicking.rs:498
   8: core::panicking::panic_fmt
             at /checkout/src/libcore/panicking.rs:71
   9: core::slice::slice_index_len_fail
             at /checkout/src/libcore/slice/mod.rs:748
  10: <core::ops::range::Range<usize> as core::slice::SliceIndex<[T]>>::index
             at /checkout/src/libcore/slice/mod.rs:879
  11: core::slice::<impl core::ops::index::Index<I> for [T]>::index
             at /checkout/src/libcore/slice/mod.rs:730
  12: dhcp4r::packet::decode
             at /XXXX/.cargo/registry/src/github.com-1ecc6299db9ec823/dhcp4r-0.1.0/src/packet.rs:22
  13: sniffglue::centrifuge::dhcp::extract
             at src/centrifuge/dhcp.rs:52
  14: sniffglue::centrifuge::udp::extract
             at src/centrifuge/udp.rs:25
  15: sniffglue::centrifuge::parse
             at src/centrifuge/mod.rs:31
  16: read_packet::main
             at examples/read_packet.rs:11
  17: __rust_maybe_catch_panic
             at /checkout/src/libpanic_unwind/lib.rs:99
  18: std::rt::lang_start
             at /checkout/src/libstd/panicking.rs:459
             at /checkout/src/libstd/panic.rs:361
             at /checkout/src/libstd/rt.rs:61
  19: main
  20: __libc_start_main
  21: _start

Contribute nom3 patch to pktparse-rs

It seems we can't use nom2 and nom3 dependencies at the same time, so we have to bump all dependencies to nom3 at once. There's currently no nom3 version of pktparse-rs so a PR is required.

Crash on Fedora 35 without --insecure-disable-seccomp

RUST_LOG=debug sniffglue

Log: https://dpaste.com/GWK2YT8R4.txt

#98

Test program for sandbox in examples/

There should be a test program in examples/ that can be compiled with various features from the src/sandbox/ module to get a picture of how the process looks like with the sandbox enabled.

This file should be part of the travis tests to ensure the protection actually works.

Disable seccomp for unsupported architectures

Currently only x86_64 is supported.

sniffglue/src/sandbox/mod.rs

Lines 9 to 17 in 9e667bf

    
           pub mod config; 
        
           #[cfg(all(target_os="linux", target_arch="x86_64"))] 
        
           #[path="syscalls/linux-x86_64.rs"] 
        
           mod syscalls; 
        
           use self::syscalls::SYSCALL;

Not-quite-live output

When using sniffglue to capture packages, output takes an extremly long time to show up.

This is a cast recorded w/o cutting out breaks of the delay between making a request and seeing that request actually show up https://asciinema.org/a/l4MTLV8Qf49D1mUNVSf4oXXEj

Is this "intended behavior"?
Is this a bug?
Is maybe my system misconfigured?(1)

Versions:

sniffglue: sniffglue 0.9.0
os (arch): Linux sigma 5.3.12-arch1-1 #1 SMP PREEMPT Wed, 20 Nov 2019 19:45:16 +0000 x86_64 GNU/Linux
core/libpcap 1.9.1-2
core/libseccomp 2.4.1-3
rustc rustc 1.39.0 (4560ea788 2019-11-04)
cargo cargo 1.39.0 (1c6ec66d5 2019-09-30)

(1): If this is the case then its my fault, but it would be nice to know

Bench needs fixing for new pktparse.

Recently jamessan fixed the tests for pktparse 0.7.1, but the same issue is also present in one of the benches, which was causing an autopkgtest failure so I went ahead and applied the same fix there.

https://salsa.debian.org/rust-team/debcargo-conf/-/blob/0f438592e9286c101a371bd33fdef03fb2e79249/src/sniffglue/debian/patches/ihl-bench-fix.patch


	pub mod config;

	#[cfg(all(target_os="linux", target_arch="x86_64"))]
	#[path="syscalls/linux-x86_64.rs"]
	mod syscalls;

	use self::syscalls::SYSCALL;