From owner-freebsd-questions Mon Jan 31 22:49:12 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mail.rdc1.tn.home.com (ha1.rdc1.tn.home.com [24.2.7.66]) by builder.freebsd.org (Postfix) with ESMTP id DF7CE3D04 for ; Mon, 31 Jan 2000 22:49:09 -0800 (PST) Received: from [192.168.1.10] ([24.4.115.31]) by mail.rdc1.tn.home.com (InterMail v4.01.01.00 201-229-111) with ESMTP id <20000201040741.LRK18661.mail.rdc1.tn.home.com@[24.4.115.31]>; Mon, 31 Jan 2000 20:07:41 -0800 Date: Mon, 31 Jan 2000 23:05:30 -0500 From: Ben WIlliams X-Mailer: The Bat! (v1.34a) UNREG / CD5BF9353B3B7091 Reply-To: Ben WIlliams X-Priority: 3 (Normal) Message-ID: <13962.000131@Home.Com> To: nathan Cc: FreeBSD questions Subject: Re: berkeley packet filter doesn't work?? In-reply-To: <3895FD1F.D204FF6E@ksu.edu> References: <3895FD1F.D204FF6E@ksu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Monday, January 31, 2000 In order to be able to see the packets from other computers you will either have to have the BSD machine as a gateway through which all traffic passes or (possibly? BPF hackers correct me here) have all the other NICs set to promiscuous mode. I also think you'll have to have a BPF device for each NIC you want to spy on. (BPF hackers?) --Ben. Monday, January 31, 2000, 16:22:39, you wrote: n> I am trying to do some scanning of our office LAN to look for potential n> security breaches (eg. plaintext user/pass combinations thru SAMBA, POP n> auth, etc) and for inappropriate web browsing (eg. porn, hate sites, n> etc) n> however... when i run tcpdump, ethereal, readsmb, etc. --> all i see n> are the packets that have the host/destination address of my computer n> (the one i'm running these apps on) n> i have the appropriate line in my kernel config for the Berkely Packet n> Filter n> pseudo-device bpfilter 4 n> and i did the ol n> sh MAKEDEV bpf0 n> plus.. if bpf isn't config'd properly, those apps won't even RUN n> all i'm wanting to do is scan the traffic of the approximate 20 machines n> that we have connected through a 100 mbit/s 3com switch my questions-->> n> 1) am i incorrect in my understanding of bpf?? n> 2) if so, what in the hell good is berkeley packet filter if i can't see n> any other packets 'sides those coming to/from my computer explicitly?? n> 3) how can i correct this so i can see ALL (or at least MORE) of the n> LAN traffic?? n> TIA!! n> To Unsubscribe: send mail to majordomo@FreeBSD.org n> with "unsubscribe freebsd-questions" in the body of the message -- Ben mailto:williamsl@Home.Com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message