From owner-freebsd-hackers Thu Feb 10 12:51: 9 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by builder.freebsd.org (Postfix) with ESMTP id DE2F84611 for ; Thu, 10 Feb 2000 12:51:03 -0800 (PST) Received: (from archie@localhost) by bubba.whistle.com (8.9.3/8.9.2) id MAA51286; Thu, 10 Feb 2000 12:49:12 -0800 (PST) From: Archie Cobbs Message-Id: <200002102049.MAA51286@bubba.whistle.com> Subject: Re: IPFW / IP Filter question In-Reply-To: <20000206124959.E319@daemon.ninth-circle.org> from Jeroen Ruigrok/Asmodai at "Feb 6, 2000 12:49:59 pm" To: asmodai@wxs.nl (Jeroen Ruigrok/Asmodai) Date: Thu, 10 Feb 2000 12:49:12 -0800 (PST) Cc: lists@security.za.net, hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Jeroen Ruigrok/Asmodai writes: > >I would have thought you would use the tee option in ipfw for this, but > >its not implemented yet according to my man pages, so I was wondering if > >there was another way to do this, cause it makes traffic analysis a hell > >of a lot easier if I can do this rather than having to sniff it with bpf > >or something. > > Didn't CURRENT add the tee option by now? Yes, I added ``ipfw tee'' to current.. however, it's not completely perfect yet but should be usable. FYI, you can combine ``tee'' with ngctl(8) and netgraph's ksocket node type to get a tcpdump-like effect.. eg: $ ipfw add 100 tee 1234 icmp from any to any in icmptype 8 $ ngctl Available commands: [ ... snip ... ] + mkpeer ksocket foo inet/raw/divert + msg foo bind inet/0.0.0.0:1234 Rec'd data packet on hook "foo": 0000: 45 00 00 54 99 f7 00 00 ff 01 e8 be c3 4c cd 07 E..T.........L.. 0010: c3 4c cd 51 08 00 51 7e 4f c8 00 00 a6 23 a3 38 .L.Q..Q~O....#.8 0020: 15 5a 0d 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 .Z.............. 0030: 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 ............ !"# 0040: 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 $%&'()*+,-./0123 0050: 34 35 36 37 4567 + Rec'd data packet on hook "foo": 0000: 45 00 00 54 99 fe 00 00 ff 01 e8 b7 c3 4c cd 07 E..T.........L.. 0010: c3 4c cd 51 08 00 a3 a6 50 c8 00 00 a8 23 a3 38 .L.Q....P....#.8 0020: c8 31 05 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 .1.............. 0030: 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 ............ !"# 0040: 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 $%&'()*+,-./0123 0050: 34 35 36 37 4567 + quit -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message