Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 29 Jan 2007 16:04:35 -0200
From:      "Victor Loureiro Lima" <victorloureirolima@gmail.com>
To:        freebsd-net@freebsd.org
Subject:   Interface security considerations
Message-ID:  <ac00e00a0701291004s646a137cr9b1103f56e887ecf@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Hello -net@,

 A question came into my mind a few days
ago while I was coding some application using
libpcap on freebsd:
 - Whats the best way to determine if an application
is listening on an interface and sniffing packets that
goes through it? I've seen that a couple of process
that are using libpcap can be traced back to open file
descriptors to /dev/bpfX files using fstat(1), even with
sockstat(1) I can figure out that a certain process has
an open "something" and further investigate it, but I was
wondering whats the common practice for freebsd users
finding out this sort of thing?

  - While I was trying to figure out which process was
listening on a certain interfaces an idea for a patch in
sys/net/bpf.c functions bpf_open() and bpf_close() that
would simply printf(9) the PID (d->bd_pid = td->td_proc->p_pid;)
of a process that was trying to open the BPF device, while
it was a simple patch, I am not sure if using the BPF device
is the only possible way to sniff the packets from an
interface, I know that linux implement sock_packet, and
some systems have DLPI, just to get things straight,
If an application wants to be able to sniff packets on a interface
the only possible way (without messing with kernel at all) is
using the BPF interface or are there other ways (even if they
are not portable out of FreeBSD at all) of doing this?

   - Is "device bpf" enabled by default on GENERIC kernel?

Thanks in advance,
Victor Loureiro Lima



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ac00e00a0701291004s646a137cr9b1103f56e887ecf>