General
- If you ever get stuck, we now have a man page!
- Upgrade to nom3
Decoders
- arp
Security
- sandboxing! (x86_64 only) syscalls are disabled in two stages, before and after initialization completed
- chroot! shortly before the 2nd seccomp stage is activated, we chroot into an empty folder
- setuid! after we opened the device for sniffing (and chrooted), we aren't doing anything that needs special privileges, so we setuid to an unprivileged user.
Keep in mind that seccomp is currently only enabled on x86_64 and chroot/setuid is disabled unless the config at /etc/sniffglue.conf exists.
Fancy
- Build a docker image and sniff in container setups