.TH "DAEMONLOGGER" "8" 
.SH "NAME" 
daemonlogger \(em program capture packets from an interface and log or rewrite them 
.SH "SYNOPSIS" 
.PP 
\fBdaemonlogger\fR [\fB-c \fIcount\fR\fP]  [\fB-d\fP]  [\fB-f \fIbdf file\fR\fP]  [\fB-F\fP]  [\fB-g \fIgroup name\fR\fP]  [\fB-i \fIinterface\fR\fP]  [\fB-l \fIpath\fR\fP]  [\fB-m \fIcount\fR\fP]  [\fB-m \fIcount\fR\fP]  [\fB-M \fIpct\fR\fP]  [\fB-n \fIname\fR\fP]  [\fB-o \fIout interface\fR\fP]  [\fB-p \fIpidfile\fR\fP]  [\fB-P \fIpidpath\fR\fP]  [\fB-r\fP]  [\fB-R \fIpcap file\fR\fP]  [\fB-s \fIbytes\fR\fP]  [\fB-S \fIsnaplen\fR\fP]  [\fB-t \fItime\fR\fP]  [\fB-u \fIuser name\fR\fP]  [\fB-T \fIchroot path\fR\fP]  [\fIbdf filter\fR]  
.SH "DESCRIPTION" 
.PP 
This manual page documents briefly the 
\fBdaemonlogger\fR. 
.PP 
This manual page was written for the \fBDebian\fP distribution 
because the original program does not have a manual page. 
.PP 
\fBdaemonlogger\fR is a simple packet logging and 
software tapping program that can be run both in foreground or in 
daemon mode. 
.PP 
\fBdaemonlogger\fR can be used in two different 
(and mutually exclusive) ways: 
.IP "Sniffing mode" 10 
In this mode, \fBdaemonlogger\fR will 
read (sniff) packets from a network interface and spool them straight 
to disk. It will automatically roll over the capture file when it 
reaches a specific size. 
 
.IP "Software tap" 10 
In this mode, \fBdaemonlogger\fR will 
read packets from an input interface and rewrite them to a second 
(output) interface, acting as a software tap. 
 
.SH "OPTIONS" 
.PP 
You can specify packet filter commands after the command line 
switches just like in tcpdump or Snort. If no filter is defined 
it will capture all packets coming to the interface. 
.PP 
A summary of available options is included below. 
.IP "\fB-h\fP         " 10 
Show summary of options. 
.IP "\fB-v\fP         " 10 
Show version of program. 
.IP "\fB-c \fIcount\fR\fP         " 10 
Log \fIcount\fR packets and exit. 
.IP "\fB-d\fP " 10 
Daemonize at startup. 
.IP "\fB-f \fIbdf file\fR\fP" 10 
Load the BPF filter to use from \fIbdf file\fR. 
.IP "\fB-F\fP" 10 
Flush the pcap buffer for each packet. As each packet is saved, 
it will be written to the output file rather than being written only when the 
output buffer fills. 
.IP "\fB-g \fIgroup name\fR\fP" 10 
Set the group ID of the process running the program to \fIgroup name\fR. 
.IP "\fB-i \fIinterface\fR\fP" 10 
Grab packets from the interface \fIinterface\fR. 
.IP "\fB-l \fIpath\fR\fP" 10 
Log all the pcap log files to directory \fIpath\fR. 
.IP "\fB-m \fIcount\fR\fP" 10 
Generate \fIcount\fR log files and exit. 
If using Ringbufer mode then write  files and delete the oldest file in 
the set when you exceed  log files written.  The program will not exit 
when in this mode. 
.IP "\fB-M \fIpct\fR\fP" 10 
Used in concert with the \fB-r\fP ringbuffer switch 
this option will write log files to the disk until it is at 
\fIpct\fR utilization and then roll over and delete the 
oldest log file.  For example, "\-M 90" would write files to the disk until it 
is 90% utilized and then roll over and delete the oldest file in the 
logging directory. If the \fB-s\fP "size" switch is not set then the 
default log file size is 2GB. 
.IP "\fB-n \fIname\fR\fP" 10 
Set output filename prefix to \fIname\fR. 
The default is daemonlogger.pcap. 
.IP "\fB-o \fIout interface\fR\fP" 10 
Act as a software tap: disable logging and retransmit all data from 
\fIinterface\fR  to \fIout interface\fR. 
.IP "\fB-p \fIpidfile\fR\fP" 10 
When running in daemon mode, use \fIpidfile\fR for the name of the PID file created. The default is daemonlogger.pid. 
.IP "\fB-P \fIpidpath\fR\fP         " 10 
When running in daemon mode, use \fIpidpath\fR as the directory where PID files will be created. The default is 
/var/run. 
.IP "\fB-r\fP" 10 
Activate ringbuffer mode. 
.IP "\fB-R \fIpcap file\fR\fP         " 10 
Read packets from  \fIpcap file\fR instead 
of using an input interface. 
.IP "\fB-s \fIbytes\fR\fP" 10 
Rollover the log file every \fIbytes\fR bytes.  By default the rollover occurs every 2 GB. The parameter 
\fIbytes\fR can be appended with "k" (for KiloBytes), "m" 
(for MegaBytes), "g" (for Gigabytes) and "t" (for TeraBytes). 
.IP "\fB-S \fIsnaplen\fR\fP         " 10 
Capture \fIsnaplen\fR bytes per packet. If not 
defined, all the contents of the packets will be captured (which is equivalent 
to setting \fIsnaplen\fR to 65535 bytes. 
.IP "\fB-t \fItime\fR\fP" 10 
Rollover the log file on specific time intervals. The time interval 
can be appended with "m" (for minutes), "h" (for hours) or "d" (for days).  If no interval selector is used then the 
default rollover interval is in seconds. For example, "\-t 60" rolls the log 
file over every 60 seconds and "\-t 2h" rolls the log file over every two hours 
at the top of the hour. In the case of minute/hour/day-based rollovers, the 
will round to the next highest hour.  For example, if the program is told to 
rollover every 2 hours and is started 38 minutes into the current hour it will 
add 2 to the current hour and rollover as scheduled at the top of the hour at 
+ 2.  If the program was started at 13:38 it would roll over the 
logfile at 15:00. 
.IP "\fB-u \fIuser name\fR\fP" 10 
When daemonized, the process' user ID will be set to 
\fIuser name\fR.   
.IP "\fB-T \fIchroot path\fR\fP" 10 
Chroot directory to \fIchroot path\fR.   
.IP "\fB-z\fP" 10 
Select log file pruning behavior.  Omitting this switch results 
in the default mode being used where the oldest log file in the logging 
directory is pruned.  Setting the \fB-z\fP switch changes the 
behavior so that daemonlogger will prune the oldest file from its current 
instantiation and leave files from older runs in the same logging directory 
alone. 
.SH "SEE ALSO" 
.PP 
tcpdump (8). 
.SH "AUTHOR" 
.PP 
This manual page was written by Javier Fernandez-Sanguino Pen~a jfs@debian.org for 
the \fBDebian\fP system (and may be used by others).  Permission is 
granted to copy, distribute and/or modify this document under 
the terms of the GNU General Public License, Version 2 or any 
later version published by the Free Software Foundation. 
 
.PP 
On Debian systems, the complete text of the GNU General Public 
License can be found in /usr/share/common-licenses/GPL. 
 
.\" created by instant / docbook-to-man