From owner-freebsd-questions Mon Jan 31 13:33:11 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mail-out.visi.com (kauket.visi.com [209.98.98.22]) by hub.freebsd.org (Postfix) with ESMTP id 5963C151B3 for ; Mon, 31 Jan 2000 13:33:05 -0800 (PST) (envelope-from sdk@visi.com) Received: from isis.visi.com (isis.visi.com [209.98.98.8]) by mail-out.visi.com (Postfix) with ESMTP id CF874381A; Mon, 31 Jan 2000 15:33:02 -0600 (CST) Received: (from sdk@localhost) by isis.visi.com (8.8.8/8.8.8) id PAA28191; Mon, 31 Jan 2000 15:33:02 -0600 (CST) Date: Mon, 31 Jan 2000 15:33:02 -0600 From: Stephen To: nathan Cc: "freebsd-questions@FreeBSD.ORG" Subject: Re: berkeley packet filter doesn't work?? Message-ID: <20000131153302.A26971@visi.com> References: <3895FD1F.D204FF6E@ksu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.96.1i In-Reply-To: <3895FD1F.D204FF6E@ksu.edu>; from nathan on Mon, Jan 31, 2000 at 03:22:39PM -0600 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Jan 31, 2000 at 03:22:39PM -0600, nathan wrote: > I am trying to do some scanning of our office LAN to look for potential > security breaches (eg. plaintext user/pass combinations thru SAMBA, POP > auth, etc) and for inappropriate web browsing (eg. porn, hate sites, > etc) > > however... when i run tcpdump, ethereal, readsmb, etc. --> all i see > are the packets that have the host/destination address of my computer > (the one i'm running these apps on) > > i have the appropriate line in my kernel config for the Berkely Packet > Filter > pseudo-device bpfilter 4 > > and i did the ol > sh MAKEDEV bpf0 > > plus.. if bpf isn't config'd properly, those apps won't even RUN > > all i'm wanting to do is scan the traffic of the approximate 20 machines > that we have connected through a 100 mbit/s 3com switch > > my questions--> > > 1) am i incorrect in my understanding of bpf?? > > 2) if so, what in the hell good is berkeley packet filter if i can't see > any other packets 'sides those coming to/from my computer explicitly?? > > 3) how can i correct this so i can see ALL (or at least MORE) of the > LAN traffic?? > > TIA!! > 1) yes 2) you're using a switch, which "routes" on the mac layer. You'll only see you own traffic and broadcasts. 3) dig out the switch manual. There might be a way to enable your port to see all the traffic. -- sdk@yuck.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message