From owner-freebsd-isp Fri Sep 20 07:00:23 1996 Return-Path: owner-isp Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA17598 for isp-outgoing; Fri, 20 Sep 1996 07:00:23 -0700 (PDT) Received: from shogun.tdktca.com ([206.26.1.21]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA17557 for ; Fri, 20 Sep 1996 07:00:19 -0700 (PDT) Received: from shogun.tdktca.com (daemon@localhost) by shogun.tdktca.com (8.7.2/8.7.2) with ESMTP id JAA06966 for ; Fri, 20 Sep 1996 09:00:22 -0500 (CDT) Received: from fa.tdktca.com (bsd.fa.tdktca.com [163.49.131.129]) by shogun.tdktca.com (8.7.2/8.7.2) with ESMTP id JAA06960 for ; Fri, 20 Sep 1996 09:00:21 -0500 (CDT) Received: (from alex@localhost) by fa.tdktca.com (8.7.5/8.6.12) id IAA08917; Fri, 20 Sep 1996 08:59:26 -0500 (CDT) Date: Fri, 20 Sep 1996 08:59:26 -0500 (CDT) From: Alex Nash To: Richard Gresek cc: freebsd-isp@FreeBSD.org Subject: Re: IP-Header Log In-Reply-To: <199609201208.MAA01399@gds.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-isp@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Fri, 20 Sep 1996, Richard Gresek wrote: > Is it possible to log the IP-headers taht are going through one interface? > (Need to see the source- and the destination ip-address + the port) > > We are running several FreeBSD-servers for our customers as > ISDN-Routers (with bisdn). The routers setup the ISDN-line once per > hour, even during the night. > > I d like to find which workstation on which port is sending the > packets that cause the dialout. How about using ipfw? [The following rules create a wide open firewall because I have assumed that you are not currently using this box as a firewall.] ipfw add accept log all from any to any via xy0 Where xy0 is replaced with your interface name. Naturally, you can expect a *lot* of logging information from this. You could cut it down by specifying the rule to only match packets with the SYN flag set (if you were willing to monitor TCP connections only): ipfw add accept log tcp from any to any setup via xy0 [Note: older versions of ipfw were picky about the order of via and setup, so the above may need to be reversed.] Going a step further, you could also watch for ICMP packets (if someone was keeping a connection alive with ping for instance): ipfw add accept log icmp from any to any via xy0 Don't forget, ipfw blocks everything by default. So if you're using the last two rules, you'll also need to explicitly pass UDP packets and established TCP packets: ipfw add accept all from any to any The interface specification has been dropped to allow localhost/other network communications. Alex