About netdumpd -------------- netdumpd is a simple daemon which basically acts like a daemonized version of tcpdump. It sniffs network traffic on a particular interface and writes the packets it sees to a standard libpcap dump file. netdumpd was written to log packet headers for statistical analysis by other programs which read pcap dump files such as bpfcount. The main difference between netdumpd and any number of other programs which can dump network traffic (aside from the fact that it runs as a daemon) is that netdumpd is designed to handle log rotation correctly. When it receives a SIGHUP it will gracefully close and re-open the dump file it is currently writing to, which allows for the dump file to be rotated cleanly and without loosing any packets. Using netdumpd -------------- See the INSTALL file for instructions on how to build and install and start netdumpd. See the scripts directory included with the source distribution for some sample shell scripts that may be useful in managing netdumpd's output files, such as maintaining a rolling archive of the past 24 hours worth of packets. Notes ----- On Redhat 7.x configure or compilation may fail with errors about net/bpf.h not existing, or configure may tell you that it cannot find pcap.h when you in fact have it. I think this is a bug with Redhat's libpcap packages. See below for instructions on how to fix it, or install libpcap >= 0.7.2 from source. Fixing Redhat pcap build/configure problems ------------------------------------------- As mentioned above in the Notes section, this may be needed if you're on Redhat 7.x and configure tells you you don't have pcap.h when in fact you do. Edit your pcap.h file (/usr/include/pcap/pcap.h on RH 7.x). Line 42 reads: #include Change it to read: #include Now try rebuilding. Reporting Bugs / Comments / Requests / Patches ---------------------------------------------- Send me (Steve Benson) an email at steve@rhythm.REMOVE_THIS_SPAMTRAP.cx if you have questions or find bugs or anything.