DaemonLogger: Simple packet logging & soft tap daemon.
Version 1.0.1

Copyright (C) 2006-2007 Sourcefire Inc.
Author: Martin Roesch <roesch@sourcefire.com>

This is a libpcap-based program.  It has two runtime modes:

1) It sniffs packets and spools them straight to the disk and can daemonize 
itself for background packet logging.  By default the file rolls over when 
1 GB of data is logged.

2) It sniffs packets and rewrites them to a second interface, essentially 
acting as a soft tap.  It can also do this in daemon mode.

These two runtime modes are mutually exclusive, if the program is placed in
tap mode (using the -I switch) then logging to disk is disabled.

License:

GPL v2.  Make SURE you read the included COPYING file so that you understand 
how this file is licensed by Sourcefire, even though it's under the GPL v2 
there are some clarifications that we have made regarding the licensing of 
this program.

Requirements:

* A recent version of libpcap.
* A recent version of libdnet.

Usage:

daemonlogger [switches] [bpf filter]

Switches:

    -c <count>      Capture <count> packets and exit.
    -d              Daemonize at startup.
    -f <bpf file>   Load BPF filter from <bpf file>.
    -F              Make disk output "packet-buffered".  As  each packet
                    is saved, it will be written to the output file rather 
                    than being written only when the output buffer fills.
    -g <group name> Set group ID to <group name>.
    -h              Print usage message.
    -i <interface>  Sniff packets from <interface>.
    -l <path>       Specify a <path> to write the pcap logfiles into.
    -m <count>      Write <count> log files and exit.
    -n <name>       Set output filename prefix to <name>.  Default is
                    "daemonlogger.pcap".
    -o <outf>       Disable packet logging and write packets received on 
                    <interface> on <outf>.  Activates tap mode.
                    Example: daemonlogger -i en0 -o gre0
    -p <pidfile>    Set an explicit <pidfile> filename.  Default is 
                    daemonlogger.pid.
    -P <pidpath>    Set an explicit <pidpath> directory.  Default is /var/run.
    -r              Activate ringbuffer mode.
    -s <size>       Rollover the log file if it reaches <size> bytes.
    -S <snaplen>    Set the number of bytes to grab per packet to <snaplen>.
    -t <time>       Rollover the log file on time intervals.  Append an 'm' to
                    rollover on minute boundaries, 'h' to rollover on hour
                    boundaries and 'd' to rollover on day boundaries.  If no 
                    interval selector is used then the default rollover interval
                    is in seconds.
                    For example, "-t 60" rolls the log file over every 60 
                    seconds and "-t 2h" rolls the log file over every two
                    hours at the top of the hour.  In the case of 
                    minute/hour/day-based rollovers, the will round to the next
                    highest hour.  For example, if the program is told to 
                    rollover every 2 hours and is started 38 minutes into the 
                    current hour it will add 2 to the current hour and rollover
                    as scheduled at the top of the hour at <current hour> + 2.
                    If the program was started at 13:38 it would roll over the 
                    logfile at 15:00.
    -T <chroot>     Chroot directory to <chroot>.
    -u <user name>  Set user ID to <user name>.
    -v              Show daemonlogger version.

BPF Filter:
    You can specify BPF filter commands after the command line switches just 
like in tcpdump or Snort.

This code is largely untested and probably completely shoddy.  YMMV.  Write me 
if you find bugs or want features!
