Marty(Snort) has written a packet logger/soft tap which is called daemonlogger where you can download here -
I haven't looked into it yet until I have talked to him today, thus I just downloaded and installed it with pretty straight forward steps -
shell>make && make install
Checking daemonlogger version -
-*> DaemonLogger <*- Version 0.7 By Martin Roesch (C) Copyright 2006-2007 Sourcefire Inc., All rights reserved
USAGE: daemonlogger [-options]
-d Daemonize at startup
-h Show this usage statement
-v Show daemonlogger version
shell>daemonlogger -i rl1 -o vr0 -p /nsm/daemonlogger-rl1.pid -d
[-] Interface set to rl1
[-] Tap output interface set to vr0[-] Pidfile configured to "/nsm/daemonlogger-rl1.pid"
[-] Daemon mode set
-*> DaemonLogger <*- Version 0.7 By Martin Roesch (C) Copyright 2006-2007 Sourcefire Inc., All rights reserved trinity:/nsm# tcpdump -i vr0 tcpdump: WARNING: vr0: no IPv4 address assigned tcpdump: listening on vr0, link-type EN10MB 17:44:22.340032 pr-in-f19.google.com.www > 192.168.0.155.2660: P 4107897218:4107897246(28) ack 3442614823 win 7200
17:44:22.340042 192.168.0.155.2660 > pr-in-f19.google.com.www: . ack 28 win 7504 (DF)
17:44:25.340047 192.168.0.155.4024 > pr-in-f19.google.com.www: . 4081159920:4081161360(1440) ack 3322996791 win 44330 (DF)
17:44:25.340062 192.168.0.155.4024 > pr-in-f19.google.com.www: P 1440:1766(326) ack 1 win 44330 (DF)
17:44:25.340073 192.168.0.155.1617 > zelazny.freenode.net.6667: P 1979289541:1979289553(12) ack 1468261941 win 16022
The daemonlogger also supports pcap file rollver based on size and time, this is pretty useful to avoid writing external support scripts for it. I like this similar feature since I have used tethereal.
You can also deploy similar kind of setup that has been done by Richard which is described here using PF or in his Extrusion Detection book -
Just build a router box with 4 Network Interfaces(sk0-sk3) -
External Interface(sk0) - Internet Facing
Internal Interface(sk1) - Internal Network
sk2 - Only watches port 80 traffics
sk3 - Monitor everything except port 80
Writing simple bpf filter to the file -
shell>echo 'port 80' > sensor-sk2.fil
shell>echo '! port 80' > sensor-sk3.fil
Running daemonlogger in soft tap mode -
shell>daemonlogger -f sensor-sk2.fil -i sk0 -o sk2 -d
shell>daemonlogger -f sensor-sk3.fil -i sk0 -o sk3 -d
All the port 80 traffics wil be transmitted to sk2 interface and the rest will be transmitted to sk3 interface. It is so simple to build distributed sensor/traffic collectors with daemonlogger.
Tag Richard's words -
One would have hoped the Pf dup-to function could send traffic to directly connected interfaces without the involvement of any IP addresses. Unfortunately, my testing revealed that assigning IP addresses to interfaces on both sides of the link is required.
The answer is daemonlogger, have fun!