Date: Tue, 1 Aug 2023 20:39:36 -0400 From: Mark Saad <nonesuch@longcount.org> To: Zane C B-H <v.velox@vvelox.net> Cc: net@freebsd.org Subject: Re: Is there a FreeBSD equivalent of 'tcpdump -i any' from Linux? Message-ID: <E3D42774-9C4D-44AC-8331-BA9F4B670834@longcount.org> In-Reply-To: <cb86f295fd30f94b57aaebb3ed8d6351@vvelox.net> References: <cb86f295fd30f94b57aaebb3ed8d6351@vvelox.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 1, 2023, at 7:57 PM, Zane C B-H <v.velox@vvelox.net> wrote: >=20 > =EF=BB=BFOn 2023-08-01 18:44, Mark Saad wrote: >>>> On Aug 1, 2023, at 4:39 PM, Zane C B-H <v.velox@vvelox.net> wrote: >>> =EF=BB=BFSo what is a good way to get all packets passing through that t= he kernel currently sees? Apparently any is not support on non-Linux systems= and pflog would require adding log to all rules. Similarly only logs packet= s that match a rule. >> Just run tcpdump without the -i , iirc this will dump everything. >=20 > Nope. This just runs it on the first interface it finds. >=20 > - pflog - requires PF, requires adding it to all rules > - ipfw tee - requires ipfw, not bad but it requires some one already be us= ing ipfw > - deamonlogger - unmaintained... quiet literally dead upstream > - suricata - can't tell it to for example not log packets for TCP port 443= , which for most FPC purposes just chew up disk space and all meaningful inf= o will be in the suricata TLS log >=20 > Now as to the question of firing up multiple instances of tcpdump, this me= ans that you will have duplicate packets where bridges are involved. I haven=E2=80=99t tried it personally but maybe with Netgraph you can make a= tap of all of this ? What is your goal ? =20 --- Mark Saad | nonesuch@longcount.org=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E3D42774-9C4D-44AC-8331-BA9F4B670834>