From owner-freebsd-security Sat Mar 16 21:12:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from naughty.monkey.org (naughty.monkey.org [204.181.64.8]) by hub.freebsd.org (Postfix) with ESMTP id 1D70737B404; Sat, 16 Mar 2002 21:12:24 -0800 (PST) Received: by naughty.monkey.org (Postfix, from userid 1001) id 5864917AD04; Sun, 17 Mar 2002 00:12:18 -0500 (EST) Date: Sun, 17 Mar 2002 00:12:18 -0500 From: Dug Song To: Robert Watson Cc: Poul-Henning Kamp , hackers@freebsd.org, security@freebsd.org Subject: Re: Userland Hacker Task: divert socket listener... Message-ID: <20020317051218.GM30121@naughty.monkey.org> References: <35126.1015973393@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Mar 16, 2002 at 09:57:46AM -0500, Robert Watson wrote: > Heh. I had something a little like that at one point -- it just > acted as a pass-through, but also logged in the pcap format. I > thought someone had done modifications to tcpdump to allow it to > speak to divert sockets, don't know that it was ever actually > committed. Might be in the PR's still. Was great for testing and > understanding firewall rules. in OpenBSD pf, packets matching a 'log' rule are dup'd to the pflog dummy device, annotated with an additional header (interface, rule number, reason, etc.). you can then use pflogd, tcpdump (either in OpenBSD or from tcpdump.org), or snort listening on pflog0 to save the packets in pcap format, print them out, or analyze them for attacks, etc. -d. --- http://www.monkey.org/~dugsong/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message