sniffglue – Secure Multithreaded Packet Sniffer

sniffglue is a network sniffer written in rust. Network packets are parsed concurrently using a thread pool to utilize all cpu cores. Project goals are that you can run sniffglue securely on untrusted networks and that it must not crash when processing packets. The output should be as useful as possible by default.

sniffglue - Secure Multithreaded Packet Sniffer
sniffglue – Secure Multithreaded Packet Sniffer

Sniffers are traffic analyzer that will process all the information passes through computer networks. This analyzer looks at what information being transmitted. This is an illegal activity unless it is made in the scope of penetration testing as it allow attacker to get all users data that may include sensitive information.

To ensure a compromised process doesn’t compromise the system, sniffglue uses seccomp to restrict the syscalls that can be used after the process started. This is done in two stages, first at the very beginning (directly after env_logger initialized) and once after the sniffer has been setup, but before packets are read from the network.

During the second stage, there’s also some general hardening that is applied before all unneeded syscalls are finally disabled. Those are system specific, so a configuration file is read from /etc/sniffglue.conf. This config file specifies an empty directory for chroot and an unprivileged account in user that is used to drop root privileges.

The tool supports following protocols:

  • ethernet
  • ipv4
  • ipv6
  • arp
  • tcp
  • udp
  • icmp
  • http
  • tls
  • dns
  • dhcp
  • cjdns
  • eth
  • beacons
  • ssdp
  • dropbox
  • beacons

You can read more and download the tool over here: https://github.com/kpcyrd/sniffglue

Share