Date: Sun, 17 Mar 2002 00:12:18 -0500 From: Dug Song <dugsong@monkey.org> To: Robert Watson <rwatson@freebsd.org> Cc: Poul-Henning Kamp <phk@freebsd.org>, hackers@freebsd.org, security@freebsd.org Subject: Re: Userland Hacker Task: divert socket listener... Message-ID: <20020317051218.GM30121@naughty.monkey.org> In-Reply-To: <Pine.NEB.3.96L.1020316095654.13304S-100000@fledge.watson.org> References: <35126.1015973393@critter.freebsd.dk> <Pine.NEB.3.96L.1020316095654.13304S-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Mar 16, 2002 at 09:57:46AM -0500, Robert Watson wrote: > Heh. I had something a little like that at one point -- it just > acted as a pass-through, but also logged in the pcap format. I > thought someone had done modifications to tcpdump to allow it to > speak to divert sockets, don't know that it was ever actually > committed. Might be in the PR's still. Was great for testing and > understanding firewall rules. in OpenBSD pf, packets matching a 'log' rule are dup'd to the pflog dummy device, annotated with an additional header (interface, rule number, reason, etc.). you can then use pflogd, tcpdump (either in OpenBSD or from tcpdump.org), or snort listening on pflog0 to save the packets in pcap format, print them out, or analyze them for attacks, etc. -d. --- http://www.monkey.org/~dugsong/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020317051218.GM30121>