.\" Generated by scdoc 1.11.3
.\" Complete documentation for this program is not available as a GNU info page
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.nh
.ad l
.\" Begin generated content:
.TH "sniffglue" "1" "2025-01-23"
.PP
.SH NAME
.PP
sniffglue - secure multithreaded packet sniffer
.PP
.SH SYNOPSIS
.PP
\fBsniffglue [-vrpVh] [-n <threads>]\fR \fIdevice\fR
.PP
.SH DESCRIPTION
.PP
\fBsniffglue\fR is a network sniffer written in rust.\& Network packets are parsed
concurrently using a thread pool to utilize all cpu cores.\& Project goals are
that you can run \fBsniffglue\fR securely on untrusted networks and that it must
not crash when processing packets.\& The output should be as useful as possible
by default.\&
.PP
.SH OPTIONS
.PP
\fB-v\fR, \fB--verbose\fR
.RS 4
Increase filter sensitivity to show more (possibly less useful) packets.\&
The default only shows few packets, this flag can be specified multiple
times.\& (maximum: 4)
.PP
.RE
\fB-h\fR, \fB--help\fR
.RS 4
Prints help information.\&
.PP
.RE
\fB-p\fR, \fB--promisc\fR
.RS 4
Set \fIdevice\fR to promiscuous mode.\&
.PP
.RE
\fB-r\fR, \fB--read\fR
.RS 4
Open \fIdevice\fR as pcap file.\&
.PP
.RE
\fB-n\fR, \fB--threads\fR \fIthreads\fR
.RS 4
Specify the number of threads.\&
.PP
.RE
\fB-V\fR, \fB--version\fR
.RS 4
Prints version information.\& If \fB-r\fR was specified, open as pcap file
instead.\&
.PP
.RE
.SH EXAMPLES
.PP
Sniff with default filters (dhcp, dns, tls, http) from \fIenp0s25\fR:
.PP
.RS 4
\fBsniffglue enp0s25\fR
.PP
.RE
Increase the filter sensitivity (arp):
.PP
.RS 4
\fBsniffglue -v enp0s25\fR
.PP
.RE
Increase the filter sensitivity (cjdns, ssdp, dropbox, packets with valid utf8)
.PP
.RS 4
\fBsniffglue -vv enp0s25\fR
.PP
.RE
Almost everything
.PP
.RS 4
\fBsniffglue -vvv enp0s25\fR
.PP
.RE
Everything
.PP
.RS 4
\fBsniffglue -vvvv enp0s25\fR
.PP
.RE
Read a dump from \fIsniff.\&pcap\fR, with increased filter sensitivity and decode packets with 1 thread:
.PP
.RS 4
\fBsniffglue -vvrn1 sniff.\&pcap\fR
.PP
.RE
.SH PROTOCOLS
.PP
\fBethernet\fR, \fBipv4\fR, \fBipv6\fR, \fBarp\fR, \fBtcp\fR, \fBudp\fR, \fBhttp\fR, \fBtls\fR, \fBdns\fR, \fBdhcp\fR,
\fBcjdns eth beacons\fR, \fBssdp\fR, \fBdropbox beacons\fR
.PP
.SH SECURITY
.PP
To report a security issue please contact kpcyrd on ircs://irc.\&hackint.\&org.\&
.PP
.SS SECCOMP
.PP
To ensure a compromised process doesn'\&t compromise the system, sniffglue uses
seccomp to restrict the syscalls that can be used after the process started.\&
This is done in two stages, first at the very beginning (directly after
env_logger initialized) and once after the sniffer has been setup, but before
packets are read from the network.\&
.PP
.SS HARDENING
.PP
During the second stage, there'\&s also some general hardening that is applied
before all unneeded syscalls are finally disabled.\& Those are system specific,
so a configuration file is read from \fB/etc/sniffglue.\&conf\fR.\& This config
file specifies an empty directory for \fBchroot\fR and an unprivileged account
in \fBuser\fR that is used to drop root privileges.\&
.PP
.SS FUZZING
.PP
The packet processing of \fBsniffglue\fR can be fuzzed using \fIcargo-fuzz\fR.\&
Everything you should need is provided in the \fIfuzz/\fR directory that is
distributed along with its source code.\& Please note that this program links
to \fIlibpcap\fR which is not included in the current fuzzing configuration.\&
.PP
.SH SEE ALSO
.PP
\fBpcap(3PCAP)\fR, \fBseccomp(2)\fR
.PP
.SH AUTHORS
.PP
This program was originally written and is currently maintained by kpcyrd.\&
Bug reports and patches are welcome on github:
.PP
.RS 4
\fIhttps://github.\&com/kpcyrd/sniffglue\fR