Deployment

Options for deploying JitterTrap in production environments.

Required Capabilities

JitterTrap needs elevated privileges for packet capture and traffic control. The required Linux capabilities are:

Capability	Purpose
CAP_NET_RAW	Packet capture (pcap)
CAP_NET_ADMIN	Traffic control (tc/netem for impairments)
CAP_SYS_ADMIN	Network namespace operations

Deployment Options

Option 1: Run as Root (Development)

Simplest approach for development and testing:

sudo ./jt-server -p 8080

Option 2: File Capabilities (Recommended)

Set capabilities on the binary for non-root operation:

sudo setcap 'cap_net_raw,cap_net_admin,cap_sys_admin+ep' jt-server
./jt-server -p 8080

Option 3: Systemd Service

Create a systemd unit file for automatic startup:

# /etc/systemd/system/jittertrap.service
[Unit]
Description=JitterTrap Network Analyzer
After=network.target

[Service]
Type=simple
ExecStart=/opt/jittertrap/jt-server -p 8080
Restart=on-failure
User=jittertrap
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN

[Install]
WantedBy=multi-user.target

Enable and start:

sudo systemctl daemon-reload
sudo systemctl enable jittertrap
sudo systemctl start jittertrap

Security Considerations

• Network access — JitterTrap's web interface has no authentication by default. Use a reverse proxy (nginx, caddy) to add authentication if exposed beyond localhost.

• Impairments — The impairments feature can disrupt network traffic. Consider running JitterTrap on a dedicated test interface or machine.

• Packet capture — Captured traffic may contain sensitive data. Ensure pcap files are stored securely.

Reverse Proxy Example

Using nginx to add basic authentication:

server {
    listen 443 ssl;
    server_name jittertrap.example.com;

    ssl_certificate /etc/ssl/certs/jittertrap.crt;
    ssl_certificate_key /etc/ssl/private/jittertrap.key;

    auth_basic "JitterTrap";
    auth_basic_user_file /etc/nginx/.htpasswd;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
    }
}

The WebSocket upgrade headers are required for real-time updates.

Command-Line Options

jt-server [options]

  -p, --port PORT      HTTP server port (default: 8080)
  -i, --interface IF   Network interface to monitor
  -h, --help           Show help message