From nobody Wed Aug 2 14:04:56 2023 X-Original-To: net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RGDJW2L8fz4qcjY for ; Wed, 2 Aug 2023 14:05:05 +0000 (UTC) (envelope-from root@analengel.de) Received: from smtp02-ext3.udag.de (smtp02-ext3.udag.de [62.146.106.33]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4RGDJD598gz3q8G for ; Wed, 2 Aug 2023 14:05:00 +0000 (UTC) (envelope-from root@analengel.de) Authentication-Results: mx1.freebsd.org; none Received: from smtpclient.apple (tmo-080-123.customers.d1-online.com [80.187.80.123]) by smtp02-ext3.udag.de (Postfix) with ESMTPA id 59DFAE00BE; Wed, 2 Aug 2023 16:04:57 +0200 (CEST) Content-Type: multipart/alternative; boundary=Apple-Mail-4CA96917-BE69-4EE6-887F-7F593EDA9AD3 Content-Transfer-Encoding: 7bit From: Tino Engel List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org Mime-Version: 1.0 (1.0) Subject: Re: Is there a FreeBSD equivalent of 'tcpdump -i any' from Linux? Date: Wed, 2 Aug 2023 16:04:56 +0200 Message-Id: References: <3376670f5c14ac160e75420a2c168481@vvelox.net> Cc: Mark Saad , net@freebsd.org In-Reply-To: <3376670f5c14ac160e75420a2c168481@vvelox.net> To: Zane C B-H X-Mailer: iPhone Mail (20G75) X-Rspamd-Queue-Id: 4RGDJD598gz3q8G X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15598, ipnet:62.146.104.0/22, country:DE] --Apple-Mail-4CA96917-BE69-4EE6-887F-7F593EDA9AD3 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable Btw I think 'netcat' (https://www.freshports.org/net/netcat/ ) should be in the list, not?

Rgds, Tino

Am 02.08.2023 um 10:13 schrieb Zane C B-= H <v.velox@vvelox.net>:

=EF=BB=BFOn 2023-08-01 19:39, Mark Saad wrote:<= /span>
On Aug 1, 2023, at 7:57 PM, Zane C= B-H <v.velox@vvelox.net> wrote:
=EF=BB=BFOn 2023-08-01 18:44, Ma= rk Saad wrote:
On Aug 1, 2023, at 4:39 PM, Zane C B-H &l= t;v.velox@vvelox.net> wrote:
=EF=BB=BFSo= what is a good way to get all packets passing through that the kernel curre= ntly sees? Apparently any is not support on non-Linux systems and pflog woul= d require adding log to all rules. Similarly only logs packets that match a r= ule.
J= ust run tcpdump without the -i , iirc this will dump everything.
<= /blockquote>
Nope. This just runs it on the first interface it finds.<= /span>
- pflog - requires PF, requires adding it to all rules
- ipfw tee - requires ipfw, not bad but it requires some one al= ready be using ipfw
- deamonlogger - unmaintained... quiet= literally dead upstream
- suricata - can't tell it to for= example not log packets for TCP port 443, which for most FPC purposes just c= hew up disk space and all meaningful info will be in the suricata TLS log
Now as to the question of firing up multiple instances of tc= pdump, this means that you will have duplicate packets where bridges are inv= olved.
I= haven=E2=80=99t tried it personally but maybe with Netgraph you can make a t= ap of all of this ?
W= hat is your goal ?

Replacement= for daemonlogger given it is dead upstream and no one else has picked up de= velopment. On Linux the same can easily be accomplished via tcpdump and the p= cap rotation options and then just using removing old files based on age/dis= k usage. Unfortunately FreeBSD lacks support for '-i any'. In many ways sett= led upon tcpdump as it is not likely to just stopped be developed.
Netgraph looks semiworkable via one2many and setting= the interfaces on the many side or promisc, but this also creates the issue= of the listening interface can also transmit. That said looks like putting t= he connected ng_iface in monitor mode at creation should solve that. Been lo= oking at that on and off today trying to wrap my head around netgraph.

= --Apple-Mail-4CA96917-BE69-4EE6-887F-7F593EDA9AD3--