Date: Fri, 20 Sep 1996 08:59:26 -0500 (CDT) From: Alex Nash <alex@fa.tdktca.com> To: Richard Gresek <rg@plusnet.de> Cc: freebsd-isp@FreeBSD.org Subject: Re: IP-Header Log Message-ID: <Pine.BSF.3.91.960920083926.25620E-100000@fa.tdktca.com> In-Reply-To: <199609201208.MAA01399@gds.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 20 Sep 1996, Richard Gresek wrote: > Is it possible to log the IP-headers taht are going through one interface? > (Need to see the source- and the destination ip-address + the port) > > We are running several FreeBSD-servers for our customers as > ISDN-Routers (with bisdn). The routers setup the ISDN-line once per > hour, even during the night. > > I d like to find which workstation on which port is sending the > packets that cause the dialout. How about using ipfw? [The following rules create a wide open firewall because I have assumed that you are not currently using this box as a firewall.] ipfw add accept log all from any to any via xy0 Where xy0 is replaced with your interface name. Naturally, you can expect a *lot* of logging information from this. You could cut it down by specifying the rule to only match packets with the SYN flag set (if you were willing to monitor TCP connections only): ipfw add accept log tcp from any to any setup via xy0 [Note: older versions of ipfw were picky about the order of via and setup, so the above may need to be reversed.] Going a step further, you could also watch for ICMP packets (if someone was keeping a connection alive with ping for instance): ipfw add accept log icmp from any to any via xy0 Don't forget, ipfw blocks everything by default. So if you're using the last two rules, you'll also need to explicitly pass UDP packets and established TCP packets: ipfw add accept all from any to any The interface specification has been dropped to allow localhost/other network communications. Alex
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960920083926.25620E-100000>