How to filter specific protocols with sniffglue?

Use the verbosity flags (-v to -vvvv) to control which packet types are displayed. For example, '-v' adds ARP, '-vv' includes SSDP and Dropbox beacons, and higher levels show more protocols, as explained in the Usage section.

sniffglue vs tcpdump: which is better for secure environments?

sniffglue is explicitly designed with security in mind, using seccomp and privilege dropping to run safely on untrusted networks. tcpdump is more established but lacks these built-in hardening features, making sniffglue preferable for hostile environments.

Can sniffglue decrypt TLS or HTTPS traffic?

No, sniffglue only parses TLS headers to identify connections but does not decrypt encrypted content. For decryption, you need separate tools or access to encryption keys.

How to install sniffglue on Windows?

sniffglue is primarily targeted at Unix-like systems; Windows installation isn't documented in the README, suggesting limited or no native support. Users might need to use WSL or alternative tools.

What's the performance impact of sniffglue's security measures?

The seccomp and privilege dropping add minimal overhead, and the multithreaded design helps maintain performance. However, for very high-speed networks, specialized hardware or optimized software might be necessary to avoid packet loss.

How to configure the security sandbox in sniffglue?

Security settings are configured via /etc/sniffglue.conf, where you can specify chroot directories and unprivileged users for privilege dropping, as detailed in the Hardening subsection of the Security section.

Open-Awesome

sniffglue

GPL-3.0Rustv0.16.2

A secure, multithreaded network packet sniffer written in Rust, designed for safe operation on untrusted networks.

Visit Website GitHub

1.3k stars103 forks0 contributors

What is sniffglue?

sniffglue is a network packet sniffer written in Rust that securely captures and parses network traffic. It uses multithreaded processing to efficiently analyze packets across all CPU cores while implementing strong security measures like seccomp sandboxing to prevent system compromise. The tool is designed to be crash-resistant and provide useful, human-readable output by default for common protocols.

Target Audience

Network administrators, security researchers, and developers who need to analyze network traffic securely, especially in untrusted environments or containerized setups.

Value Proposition

Developers choose sniffglue for its unique combination of security-first design, multithreaded performance, and reliability. Unlike many packet sniffers, it's explicitly built to run safely on hostile networks without crashing, making it ideal for security-critical applications.

Overview

Secure multithreaded packet sniffer

Use Cases

Best For

Securely monitoring network traffic on untrusted or public networks
Debugging container network configurations in Docker environments
Analyzing protocol-level network communication for security research
Educational purposes to understand network packet structures and protocols
Lightweight network diagnostics in resource-constrained environments
Building security tools that require reliable packet capture and parsing

Not Ideal For

Analyzing wireless network traffic (802.11 is explicitly not supported)
High-speed network monitoring requiring specialized hardware or maximum throughput
Users needing a graphical interface for interactive packet inspection and filtering
Decrypting encrypted traffic without additional tools or key access

Pros & Cons

Pros

Multithreaded Performance

Uses a thread pool to parse network packets concurrently across all CPU cores, ensuring efficient utilization on multi-core systems, as highlighted in the project goals.

Security-First Design

Implements seccomp syscall restrictions and privilege dropping with a configurable hardening file (/etc/sniffglue.conf), making it safe for untrusted networks, as detailed in the Security section.

Crash-Resistant Operation

Engineered to avoid crashes during packet processing, even with malformed input, supported by fuzzing tests (cargo-fuzz) to ensure reliability.

Lightweight Docker Integration

Can be built as a small Docker image (~11.1MB) for debugging container network setups, providing an easy way to deploy in isolated environments, as mentioned in the Docker section.

Cons

Limited Protocol Coverage

Does not support 802.11 for wireless traffic analysis, which is a notable gap compared to more comprehensive sniffers, as listed in the protocols section.

Complex Source Build

Building from source requires external dependencies like libpcap and libseccomp, adding setup overhead for users on systems without pre-packaged versions.

No Graphical Interface

Operates solely in the terminal, which may be less user-friendly for those accustomed to GUI tools like Wireshark for visual packet analysis.

Frequently Asked Questions

Related Projects

Metasploit Framework

Stars38,384

Forks14,876

Last commit3 days ago

SQLMap

Automatic SQL injection and database takeover tool

TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.

Stars25,793

Forks3,224

Last commit1 month ago

mimikatz

A little tool to play with Windows security

Stars21,621

Forks4,130