Daemonlogger is packet logger that can be configured to capture packets and write them to disk in a rotating buffer. This capability is useful when trying to troubleshoot intermittent issues that appear to be correlated with network traffic. When the problem appears, then the packets in the buffer can be inspected to see if the cause can be determined. This may be useful for examining network traffic that occurred right before a server crash.
Installing Daemonlogger
The latest version of Daemonlogger is available in this Github repo:
https://github.com/vrtadmin/Daemonlogger
I used the Daemonlogger v1.2.1 source with the addition of two patches I wrote to improve the functioning in my particular application. These patches are optional, but definitely recommended.
Patch to add option for ISO 8601 timestamps in filenames:
daemonlogger_iso_8601.patch (4 KB)
Patch to improve file rotation when Daemonlogger is restarted:
daemonlogger_file_rotation.patch (2 KB)
You will also need to download a copy of libdnet in order to compile Daemonlogger. I used the source package for version 1.11:
http://libdnet.sourceforge.net/
Download the Daemonlogger source package, the two patches, and the libdnet source package to your Downloads folder. Install by opening the Terminal application and using the following commands. If installing to a remote server, replace every occurrence of localhost with the fully-qualified domain name of that server.
scp ~/Downloads/daemonlogger-1.2.1.tar.gz admin@localhost:/tmp/
scp ~/Downloads/daemonlogger_iso_8601.patch admin@localhost:/tmp/
scp ~/Downloads/daemonlogger_file_rotation.patch admin@localhost:/tmp/
scp ~/Downloads/libdnet-1.11.tar.gz admin@localhost:/tmp/
ssh admin@localhost
cd /tmp/
tar xvzf libdnet-1.11.tar.gz
cd libdnet-1.11
./configure
make
sudo make install
cd /tmp/
tar xvzf daemonlogger-1.2.1.tar.gz
cd daemonlogger-1.2.1
patch -p0 < /tmp/daemonlogger_iso_8601.patch
patch -p0 < /tmp/daemonlogger_file_rotation.patch
./configure
make
sudo make install
exit
Configuring Daemonlogger
For best results, Daemonlogger should be configured to run as a background process with launchd. This can be done by opening the Terminal application and using the following commands. If configuring a remote server, replace every occurrence of localhost with the fully-qualified domain name of that server.
ssh admin@localhost
sudo mkdir /var/daemonlogger
sudo chown nobody:nobody
/var/daemonlogger/
sudo nano /etc/daemonlogger.filter
When the text editor appears, paste in BPF filter rules to indicate network traffic that should or should not be included in the packet capturing. For example, this may be used to capture packets related to DNS, Kerberos, LDAP, and Active Directory Global Catalog lookups:
port 53 or port 88 or port 389 or port 3268
When finished, press control-O and then Return to save the file. Then press control-X to exit back to the command line.
sudo nano /Library/LaunchDaemons/com.briandwells.daemonlogger.plist
Paste in the configuration file for Daemonlogger as shown below and change the default settings as appropriate. For instance, the network interface may need to be changed from en0 to some other interface. The name prefix for the capture files may include the domain name of the computer instead of localhost. The time interval of 1 hour and the rotating buffer count of 72 may also need to be adjusted.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.briandwells.daemonlogger</string>
<key>KeepAlive</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/daemonlogger</string>
<string>-i</string>
<string>en0</string>
<string>-n</string>
<string>localhost.pcap</string>
<string>-t</string>
<string>1h</string>
<string>-m</string>
<string>72</string>
<string>-S</string>
<string>0</string>
<string>-F</string>
<string>-j</string>
<string>-r</string>
<string>-u</string>
<string>nobody</string>
<string>-g</string>
<string>nobody</string>
<string>-l</string>
<string>/var/daemonlogger</string>
<string>-f</string>
<string>/etc/daemonlogger.filter</string>
</array>
</dict>
</plist>
When finished, press control-O and then Return to save the file. Then press control-X to exit back to the command line.
Start up Daemonlogger and then exit from secure shell with the following commands.
sudo launchctl load -w /Library/LaunchDaemons/com.briandwells.daemonlogger.plist
exit
Inspecting Captured Packets
The rotating buffer of captured packets is stored in the /var/daemonlogger/ folder and may be inspected with the tcpdump command or with a packet analyzer such as Wireshark.