etherpoke 2.5.1

etherpoke is a scriptable network session monitor. etherpoke defines three events: SESSION_BEGIN, SESSION_END, SESSION_ERROR to which a hook (system command) can be assigned. The event hook can be any program installed in the system. SESSION_BEGIN is triggered when the first packet matching the filter rule is captured. SESSION_END is triggered when the time since the last matching packet was captured exceeds the session timeout. SESSION_ERROR is triggered when it is no longer possible to proceed with packet capture, most likely due to network interface error. This event cancels out any future triggers of SESSION_END, until SESSION_BEGIN is triggered again. etherpoke is free software licensed under GNU GPL3.

Tags networking packet capture security pcap
License GNU GPLv3
State initial

Recent Releases

2.5.104 Feb 2016 18:25 minor bugfix: : make options '-4' and '-6', used as a hint for a hostname. Resolution, to be position independent. In case one of those options was used Before the option '-t, --hostname', its effect was canceled out. : do not use AI_ADDRCONFIG flag when resolving a hostname/address. If. The flag is in effect on a computer without a configured IP address, resolving Will fail. : if a mandatory option had been undefined in a configuration file. Program had been killed with unfreed memory. : invalid memory access, when receiving client's data. : check if a value of a parameter for '-m, --accept-max' is a number.
2.5.013 Jan 2016 09:45 major bugfix: Treat event hook definitions (session_begin, session_error, session_end) as. Optional. New option '-V, --verbose' to increase verbosity of the process. Additional. LOG_INFO messages shall be printed to syslog and/or stderr, such as client Connections/disconnections and event triggers. : some long options had been unrecognized. : limit maximum length of a filter name to 128 Bytes. In previous. Versions, when socket notifications were enabled, a notification message which Contained a filter name longer than 123 Bytes, was transmitted in incomplete Fashion, due to a size of an intermediate buffer used in transmission. : validate hostformat properly. Port number could had been undefined. Without rising an error. Limit maximum number of filters which can be loaded from a configuration. File. This hard-limit can be changed by updating a value of CONF_FILTER_MAXCNT And recompiling.
2.4.026 Nov 2015 03:16 major feature: Option '-l, --listen' is no longer supported. This option was removed in. Favor for a new option '-t, --hostname'. New option '-t, --hostname' allows to specify an address/hostname and port. Number to which etherpoke should bind and listen on for incoming client Connections. This option supersedes option '-l, --listen' as it allows to Change otherwise default address This feature addresses the complains About etherpoke being exposed to LAN/WAN network when used only locally. Notifications via IPv6. New options '-4' and '-6' to control how the hostname gets resolved when. '-t, --hostname' is used. If '-4' is in effect IPv4 gets precedence over. IPv6 and vice versa.
2.3.103 Jun 2015 16:45 bugfix: BUGFIX: if executable was invoked using specific command, path to the configuration file became invalid.
2.3.010 May 2015 07:25 feature: Support for sockets (TCP/UNIX domain) as an alternative to execv(3). If this. mode is enabled, event hooks are sent via socket instead of being executed localy. This feature allows remote systems to be notified immediately after event occurs without unnecessary overhead. New configuration options 'notify_sock', 'notify_exec'. If set to true,. 'notify_sock' sends notification message (FILTER_NAME:EVT) to all connected. clients via TCP socket (configured with option '-l' on program's invocation), 'notify_exec' executes content of event hooks. Both options can be set. simultaneously. By default socket notification is disabled. Command-line option names has been changed, long options are supported. Running `make install` not only copies compiled binary into target directory. but it also sets file capabilities with `setcap`. This allows to run the binary without root privileges. New option '-m' (--accept-max) which overrides default value for maximum. number of concurrent client connections on socket. Working directory is set to match directory name where configuration file is. located. This allows to use @include statement in the configuration file referencing included files by their relative path.
2.2.106 May 2015 16:05 minor bugfix: Carry out the command expansion only once for each event, at program start.
2.2.008 Mar 2015 08:05 minor feature: Match rule is optional in the filter definition. If no BPF filter is specified or the option is ommited altogether, capture all traffic on the interface. New event session_error. If there's an error in packet capture, fire up this event. The event was introduced to act upon interface shutdowns immediatelly. If this event is triggered before the event 'session_end', it cancels out any future triggers of 'session_end', until the event 'session_begin' is triggered again. This event is mandatory. Note that in some cases it is not possible to restart packet capture.
2.1.218 Jan 2015 07:45 minor feature: System call select replaced by poll. The latter system call no longer limits how many file descriptors can be watched for. This allows users to define number of filters greater than FD_SETSIZE, which on most GNU/Linux distributions is 1024.
2.1.106 Jan 2015 11:45 minor feature: Interface shutdown or any other problem causing packet reading to fail is no longer a reason to kill the daemon. Use DLT_IEEE802_11_RADIO link-layer type when monitor mode is enabled. Allow users to alter default link-layer type using the configuration option link_type'.
2.1.025 Dec 2014 14:05 minor feature: New configuration option 'monitor_mode'. If enabled and supported by the network interface, IEEE 802.11 wireless LANs management and control frames will be accessible. Specify read timeout using pcap_set_timeout. On some systems, unspecified timeout caused the select to freeze.
2.0.209 Nov 2014 17:31 minor feature: Validation rules for configuration file. Hook execution is done in 'controlled' manner, transparency of the whole ordeal was increased. Event hooks that failed to execute are not subsequently reexecuted, entire filter is freed from the memory. Bug fixes and code cleanup.
2.003 Nov 2014 21:41 major feature: