Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 8 Mar 2002 12:35:01 -0600
From:      afleming@fhsu.edu
To:        freebsd-questions@FreeBSD.ORG
Subject:   netgraph, bpf, and sniffing 2 interfaces
Message-ID:  <OFDE96AEC7.35F5E431-ON86256B76.00643BC4-86256B76.00661558@fhsu.edu>
next in thread | raw e-mail | index | archive | help 
I have been looking through the netgraph documentation, and searching the
mailing lists and web, but I still nee some help.

I have a program that sniffs IP packets off of an ethernet interface using
BPF (Like tcpdump does).  However I can only sniff packets off the one
interface at a time.  I need to actually sniff packets off of two
interfaces at the sametime, but the program won't use two interfaces.
(Specificaly I have a fiber tap.  Which of course two outputs one for the
transmit for each side of the link.  I want to just hook the tap output
into the receive of two fiber nics.  This works, I can do a tcpdump on one
of the other, but I only see 1/2 of the link.  The software I am using will
only sniff one interface at a time, so I'd have to combine both streams
into one interface before I can see both sides of the conversation.)

I am thinking I can somehow use netgraph to accomplish this.

So what I think I need is to make a virtual netgraph interface and then
sniff packets off of this.

                                           fxp0
                                         /
tcpdump -  bpf   -ng0
                                       \
                                         fxp1

Does anyone have any suggestions on if this is the right way to go.  If so
can anybody help me with the setup.  I have never used netgraph before so
I'm going through a big learning curve here.  I keep running into things
like the fact that ng0 is by default a point to point interface and I don't
know how to change it to broadcast.  I've been doing a lot of searching but
I haven't been able to find anything about sniffing packets off of a
netgraph interface.

Thanks for any help or suggestions anyone can provide.

Andrew Fleming
Fort Hays State University Computing Center
Phone: (785) 628-4433
E-mail: afleming@fhsu.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OFDE96AEC7.35F5E431-ON86256B76.00643BC4-86256B76.00661558>