From owner-freebsd-net@FreeBSD.ORG Mon Jan 29 19:21:34 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7199916A406 for ; Mon, 29 Jan 2007 19:21:34 +0000 (UTC) (envelope-from dudu@dudu.ro) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.232]) by mx1.freebsd.org (Postfix) with ESMTP id 237FB13C4A3 for ; Mon, 29 Jan 2007 19:21:34 +0000 (UTC) (envelope-from dudu@dudu.ro) Received: by wr-out-0506.google.com with SMTP id 68so1010127wri for ; Mon, 29 Jan 2007 11:21:33 -0800 (PST) Received: by 10.90.115.9 with SMTP id n9mr7170461agc.1170096911076; Mon, 29 Jan 2007 10:55:11 -0800 (PST) Received: by 10.90.29.8 with HTTP; Mon, 29 Jan 2007 10:55:11 -0800 (PST) Message-ID: Date: Mon, 29 Jan 2007 20:55:11 +0200 From: "Vlad GALU" To: "Victor Loureiro Lima" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Cc: freebsd-net@freebsd.org Subject: Re: Interface security considerations X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jan 2007 19:21:34 -0000 On 1/29/07, Victor Loureiro Lima wrote: > Hello -net@, > > A question came into my mind a few days > ago while I was coding some application using > libpcap on freebsd: > - Whats the best way to determine if an application > is listening on an interface and sniffing packets that > goes through it? I've seen that a couple of process > that are using libpcap can be traced back to open file > descriptors to /dev/bpfX files using fstat(1), even with > sockstat(1) I can figure out that a certain process has > an open "something" and further investigate it, but I was > wondering whats the common practice for freebsd users > finding out this sort of thing? See ports/net/bpfstat. BPF already exposes that info to the userspace programs. > - While I was trying to figure out which process was > listening on a certain interfaces an idea for a patch in > sys/net/bpf.c functions bpf_open() and bpf_close() that > would simply printf(9) the PID (d->bd_pid = td->td_proc->p_pid;) > of a process that was trying to open the BPF device, while > it was a simple patch, I am not sure if using the BPF device > is the only possible way to sniff the packets from an > interface, I know that linux implement sock_packet, and > some systems have DLPI, just to get things straight, > If an application wants to be able to sniff packets on a interface > the only possible way (without messing with kernel at all) is > using the BPF interface or are there other ways (even if they > are not portable out of FreeBSD at all) of doing this? No, there aren't any other interfaces. Unless you modify the ether_input() routine. And BPF is the most portable method in use nowadays. > - Is "device bpf" enabled by default on GENERIC kernel? Yes. > Thanks in advance, > Victor Loureiro Lima > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it.