Date: Thu, 10 Feb 2000 12:49:12 -0800 (PST) From: Archie Cobbs <archie@whistle.com> To: asmodai@wxs.nl (Jeroen Ruigrok/Asmodai) Cc: lists@security.za.net, hackers@FreeBSD.ORG Subject: Re: IPFW / IP Filter question Message-ID: <200002102049.MAA51286@bubba.whistle.com> In-Reply-To: <20000206124959.E319@daemon.ninth-circle.org> from Jeroen Ruigrok/Asmodai at "Feb 6, 2000 12:49:59 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Jeroen Ruigrok/Asmodai writes:
> >I would have thought you would use the tee option in ipfw for this, but
> >its not implemented yet according to my man pages, so I was wondering if
> >there was another way to do this, cause it makes traffic analysis a hell
> >of a lot easier if I can do this rather than having to sniff it with bpf
> >or something.
>
> Didn't CURRENT add the tee option by now?
Yes, I added ``ipfw tee'' to current.. however, it's not completely
perfect yet but should be usable.
FYI, you can combine ``tee'' with ngctl(8) and netgraph's ksocket
node type to get a tcpdump-like effect.. eg:
$ ipfw add 100 tee 1234 icmp from any to any in icmptype 8
$ ngctl
Available commands:
[ ... snip ... ]
+ mkpeer ksocket foo inet/raw/divert
+ msg foo bind inet/0.0.0.0:1234
Rec'd data packet on hook "foo":
0000: 45 00 00 54 99 f7 00 00 ff 01 e8 be c3 4c cd 07 E..T.........L..
0010: c3 4c cd 51 08 00 51 7e 4f c8 00 00 a6 23 a3 38 .L.Q..Q~O....#.8
0020: 15 5a 0d 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 .Z..............
0030: 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 ............ !"#
0040: 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 $%&'()*+,-./0123
0050: 34 35 36 37 4567
+
Rec'd data packet on hook "foo":
0000: 45 00 00 54 99 fe 00 00 ff 01 e8 b7 c3 4c cd 07 E..T.........L..
0010: c3 4c cd 51 08 00 a3 a6 50 c8 00 00 a8 23 a3 38 .L.Q....P....#.8
0020: c8 31 05 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 .1..............
0030: 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 ............ !"#
0040: 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 $%&'()*+,-./0123
0050: 34 35 36 37 4567
+ quit
-Archie
___________________________________________________________________________
Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200002102049.MAA51286>