Scroll to navigation

DAEMONLOGGER(8) System Manager's Manual DAEMONLOGGER(8)

NAME

daemonlogger — program capture packets from an interface and log or rewrite them

SYNOPSIS

daemonlogger [-c count] [-d] [-f bdf file] [-F] [-g group name] [-i interface] [-l path] [-m count] [-m count] [-M pct] [-n name] [-o out interface] [-p pidfile] [-P pidpath] [-r] [-R pcap file] [-s bytes] [-S snaplen] [-t time] [-u user name] [-T chroot path] [bdf filter]

DESCRIPTION

This manual page documents briefly the daemonlogger.

This manual page was written for the Debian distribution because the original program does not have a manual page.

daemonlogger is a simple packet logging and software tapping program that can be run both in foreground or in daemon mode.

daemonlogger can be used in two different (and mutually exclusive) ways:

In this mode, daemonlogger will read (sniff) packets from a network interface and spool them straight to disk. It will automatically roll over the capture file when it reaches a specific size.

In this mode, daemonlogger will read packets from an input interface and rewrite them to a second (output) interface, acting as a software tap.

OPTIONS

You can specify packet filter commands after the command line switches just like in tcpdump or Snort. If no filter is defined it will capture all packets coming to the interface.

A summary of available options is included below.

Show summary of options.
Show version of program.
Log count packets and exit.
Daemonize at startup.
Load the BPF filter to use from bdf file.
Flush the pcap buffer for each packet. As each packet is saved, it will be written to the output file rather than being written only when the output buffer fills.
Set the group ID of the process running the program to group name.
Grab packets from the interface interface.
Log all the pcap log files to directory path.
Generate count log files and exit. If using Ringbufer mode then write files and delete the oldest file in the set when you exceed log files written. The program will not exit when in this mode.
Used in concert with the -r ringbuffer switch this option will write log files to the disk until it is at pct utilization and then roll over and delete the oldest log file. For example, "-M 90" would write files to the disk until it is 90% utilized and then roll over and delete the oldest file in the logging directory. If the -s "size" switch is not set then the default log file size is 2GB.
Set output filename prefix to name. The default is daemonlogger.pcap.
Act as a software tap: disable logging and retransmit all data from interface to out interface.
When running in daemon mode, use pidfile for the name of the PID file created. The default is daemonlogger.pid.
When running in daemon mode, use pidpath as the directory where PID files will be created. The default is /var/run.
Activate ringbuffer mode.
Read packets from pcap file instead of using an input interface.
Rollover the log file every bytes bytes. By default the rollover occurs every 2 GB. The parameter bytes can be appended with "k" (for KiloBytes), "m" (for MegaBytes), "g" (for Gigabytes) and "t" (for TeraBytes).
Capture snaplen bytes per packet. If not defined, all the contents of the packets will be captured (which is equivalent to setting snaplen to 65535 bytes.
Rollover the log file on specific time intervals. The time interval can be appended with "m" (for minutes), "h" (for hours) or "d" (for days). If no interval selector is used then the default rollover interval is in seconds. For example, "-t 60" rolls the log file over every 60 seconds and "-t 2h" rolls the log file over every two hours at the top of the hour. In the case of minute/hour/day-based rollovers, the will round to the next highest hour. For example, if the program is told to rollover every 2 hours and is started 38 minutes into the current hour it will add 2 to the current hour and rollover as scheduled at the top of the hour at + 2. If the program was started at 13:38 it would roll over the logfile at 15:00.
When daemonized, the process' user ID will be set to user name.
Chroot directory to chroot path.
Select log file pruning behavior. Omitting this switch results in the default mode being used where the oldest log file in the logging directory is pruned. Setting the -z switch changes the behavior so that daemonlogger will prune the oldest file from its current instantiation and leave files from older runs in the same logging directory alone.

SEE ALSO

tcpdump (8).

AUTHOR

This manual page was written by Javier Fernandez-Sanguino Pen~a jfs@debian.org for the Debian system (and may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation.

On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL.