I’ve been using Daemonlogger now for some time, and really like this compact yet highly functional packet capture tool from Marty Roesch (mr. Snort himself). It’s libpcap based and has some nice features like log-&-replay, log rotation and ring-buffer. Features that are missing in the tcpdump implementation I used prior to Daemonlogger.
In many situations I like to use the -t option to partition the log files based on time, e.g. -t 1h to get one pcap file each hour (aligned on the hour). Also, I usually create a dedicated disk partition for pcap storage. In these situations I think Daemonlogger doesn’t quite “cut the mustard”. It’s missing an easy way to have it utilize most of the dedicated disk space and rotating the pcap files based on time intervals whilst maintaining an active ring-buffer. Of course, you may use the -s option to rotate based on the size of the log file (in bytes) and also set a count limit with -m. But, as I mentioned, I’m more of a time guy.
This is why I made a small patch to Daemonlogger which implements the missing feature. The added option (-x) lets you specify the amount of free space you want to have on the disk where the pcap files are stored.
daemonlogger -i eth0 -d -l /var/log/pcap -S 0 -t 1h -x 500 -r
In the above example, daemonlogger sniffs on eth0 interface, runs in daemon mode, logs to /var/log/pcap with a max snap length and creates a new file every hour on the hour. When there is less than 500 MiB of free space on the disk device that holds /var/log/pcap, the ring-buffer will activate and delete the oldest file in that directory.
Download file: daemonlogger.honeynor.patch
Disclamer: I’m by no means an experienced C-programmer, so you’re on your own pal if you apply this patch :)