From owner-freebsd-net@FreeBSD.ORG Mon Jan 29 18:30:07 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5589616A407 for ; Mon, 29 Jan 2007 18:30:07 +0000 (UTC) (envelope-from victorloureirolima@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.248]) by mx1.freebsd.org (Postfix) with ESMTP id EFD2613C4B2 for ; Mon, 29 Jan 2007 18:30:06 +0000 (UTC) (envelope-from victorloureirolima@gmail.com) Received: by an-out-0708.google.com with SMTP id c24so558570ana for ; Mon, 29 Jan 2007 10:30:04 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=t1PJfbf356da8do/csBo+Vz/DtUN70IekRGE5ZO0lK4pLGkfxUlZONwYFqSRBUvpT9NgPcm1tqhWP7SjEvzEPnnmcVXhQeqlQM31e6YwDXtwg/Q9xqRXMRfsoxdvmueWhXkcvp8FUfU5+3P90kRlIjO8lJLWB6c2Bie0sdhhkbo= Received: by 10.115.89.1 with SMTP id r1mr288691wal.1170093876148; Mon, 29 Jan 2007 10:04:36 -0800 (PST) Received: by 10.114.177.20 with HTTP; Mon, 29 Jan 2007 10:04:35 -0800 (PST) Message-ID: Date: Mon, 29 Jan 2007 16:04:35 -0200 From: "Victor Loureiro Lima" To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Interface security considerations X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jan 2007 18:30:07 -0000 Hello -net@, A question came into my mind a few days ago while I was coding some application using libpcap on freebsd: - Whats the best way to determine if an application is listening on an interface and sniffing packets that goes through it? I've seen that a couple of process that are using libpcap can be traced back to open file descriptors to /dev/bpfX files using fstat(1), even with sockstat(1) I can figure out that a certain process has an open "something" and further investigate it, but I was wondering whats the common practice for freebsd users finding out this sort of thing? - While I was trying to figure out which process was listening on a certain interfaces an idea for a patch in sys/net/bpf.c functions bpf_open() and bpf_close() that would simply printf(9) the PID (d->bd_pid = td->td_proc->p_pid;) of a process that was trying to open the BPF device, while it was a simple patch, I am not sure if using the BPF device is the only possible way to sniff the packets from an interface, I know that linux implement sock_packet, and some systems have DLPI, just to get things straight, If an application wants to be able to sniff packets on a interface the only possible way (without messing with kernel at all) is using the BPF interface or are there other ways (even if they are not portable out of FreeBSD at all) of doing this? - Is "device bpf" enabled by default on GENERIC kernel? Thanks in advance, Victor Loureiro Lima