I started out writing cxtracker and PRADS in perl, as my C fu was kinda rusty, and perl programmers claimed that perl was fast enough… It turned out, that perl was not fast enough for my purpose, but it added to my perl skillz at least.
So I wanted to rewrite cxtracker and PRADS in C, and the last three weeks, I have re-learned C and rewritten cxtracker. It has been many late hours and small bugs have been annoying me way too much. But I have had the chance to play more with debuggers and C which I find very interesting and pleasing.
cxtracker can now be used instead of sancp in a sguil setup. cxtracker is also meant to be used in another little project I have going, FPCGUI (Full Packet Capture GUI), but thats another blog entry soon to come.
cxtracker also logs IPv6 traffic, something that sancp does not. Sguil does not eat IPv6 yet, so to use cxtracker with sguil, a bpf filer for not inspecting IPv6 traffic should be used.
On my sensors, cxtracker seems to use about 20-30% lesser CPU time than sancp, which makes me really happy! The memory footprint is the same as sancp.
The reason I started with cxtracker as my first C project, is that it is a corner stone in my other projects, FPCGUI and PRADS. In FPCGUI, cxtracker is used to track IP sessions and storing them to a DB. In PRADS, it also tracks sessions, so one can limit the amount of data to check for service signatures in (Just check xx first packets, or xxx bytes of data after initial connection).
cxtracker is hosted on github : http://github.com/gamelinux/cxtracker
git clone git://github.com/gamelinux/cxtracker.git
It uses libpcap and I have yet only tried to compile it on Ubuntu and Debian machines (x86 and x86_64).
To test it:
# libpcap and a build environment is needed.
$ git clone git://github.com/gamelinux/cxtracker.git
$ cd cxtracker/src/
$ ./cxtracker -h
$ cxtracker [options]
-i : network device (default: eth0)
-b : berkeley packet filter
-d : directory to dump sessions files in
-u : user
-g : group
-D : enables daemon mode
-h : this help message
-v : verbose
$ ./cxtracker -i eth0 -D -d /nsm_data/sensor-hostname/sancp/ -u nsm -g nsm -b ‘ip’
If you try out cxtracker, feedback is more than welcome!