From owner-freebsd-hackers Thu Feb 3 15:41:20 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from gvr.gvr.org (gvr.gvr.org [194.151.74.97]) by builder.freebsd.org (Postfix) with ESMTP id 2F5FA4C08 for ; Thu, 3 Feb 2000 14:22:46 -0800 (PST) Received: by gvr.gvr.org (Postfix, from userid 657) id 81024A85A; Thu, 3 Feb 2000 23:22:56 +0100 (CET) Date: Thu, 3 Feb 2000 23:22:56 +0100 From: Guido van Rooij To: lists@security.za.net Cc: hackers@freebsd.org Subject: Re: IPFW / IP Filter question Message-ID: <20000203232256.A66818@gvr.gvr.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: ; from lists@security.za.net on Thu, Feb 03, 2000 at 11:28:49PM +0200 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Feb 03, 2000 at 11:28:49PM +0200, lists@security.za.net wrote: > A quick question, is it possible to copy all traffic coming into a > particular interface to a divert socket, while still having the traffic > also running normally and taking normal routes etc. > > I would have thought you would use the tee option in ipfw for this, but > its not implemented yet according to my man pages, so I was wondering if > there was another way to do this, cause it makes traffic analysis a hell > of a lot easier if I can do this rather than having to sniff it with bpf > or something. I can;t answer this for ipfw (though IIRC there does exist a tee option in -current for ipfw). With ipfilter you can dup al traffic to an alternate device, like a tunnel device. e.g: pass in on lo0 dup-to tun0 from localhost to localhost or: pass in on lo0 dup-to ed0:1.2.3.4 from localhost to localhost where 1.2.3.4 is a machine on the same lan as ed0. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message