Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 17 Mar 2002 00:12:18 -0500
From:      Dug Song <dugsong@monkey.org>
To:        Robert Watson <rwatson@freebsd.org>
Cc:        Poul-Henning Kamp <phk@freebsd.org>, hackers@freebsd.org, security@freebsd.org
Subject:   Re: Userland Hacker Task: divert socket listener...
Message-ID:  <20020317051218.GM30121@naughty.monkey.org>
In-Reply-To: <Pine.NEB.3.96L.1020316095654.13304S-100000@fledge.watson.org>
References:  <35126.1015973393@critter.freebsd.dk> <Pine.NEB.3.96L.1020316095654.13304S-100000@fledge.watson.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Mar 16, 2002 at 09:57:46AM -0500, Robert Watson wrote:

> Heh. I had something a little like that at one point -- it just
> acted as a pass-through, but also logged in the pcap format.  I
> thought someone had done modifications to tcpdump to allow it to
> speak to divert sockets, don't know that it was ever actually
> committed.  Might be in the PR's still.  Was great for testing and
> understanding firewall rules.

in OpenBSD pf, packets matching a 'log' rule are dup'd to the pflog
dummy device, annotated with an additional header (interface, rule
number, reason, etc.).

you can then use pflogd, tcpdump (either in OpenBSD or from
tcpdump.org), or snort listening on pflog0 to save the packets in pcap
format, print them out, or analyze them for attacks, etc.

-d.

---
http://www.monkey.org/~dugsong/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020317051218.GM30121>