Date: Tue, 2 Feb 1999 16:20:13 -0600 (CST) From: James Wyatt <jwyatt@RWSystems.net> To: Bill Woodford <woodford@cc181716-a.hwrd1.md.home.com> Cc: ML FreeBSD Security <security@FreeBSD.ORG> Subject: Re: tcpdump Message-ID: <Pine.BSF.4.05.9902021607340.13018-100000@kasie.rwsystems.net> In-Reply-To: <19990202153458.A1152@cc181716-a.hwrd1.md.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2 Feb 1999, Bill Woodford wrote: [ ... ] > watch out for. However, when I run tcpdump (as root), it gives me: > > tcpdump: /dev/bpf0: Device not configured > > I did a little reading, and realize it's possible that my NIC may not > support it (it's a 3com 3c509 combo), but how would one tell. Can anyone I have not used an ISA/PCI card yet that doesn't support BPF... It is an invaluable tool around here and even better on a laptop for travelling! Don't forget to: 1. Build a bpf device into the kernel config file like so: pseudo-device bpfilter 1 #Berkeley packet filter 2. Make the device like so: cd /dev ./MAKEDEV bpf0 3. Watch for syslog messages showing when it is used like: de0: promiscuous mode enabled Don't make more BPFs than you need (usually 1) and leave tcpdump running to lock it. If someone gets in and gets rootly, they can use it to sniff passwords, discover VPN links, view IPX and SNA traffic as well as TCP, and all manner of evil investigation... Other executables you may want to build and use on BPF include: trafshow - curses-based dynamic traffic list. Shows who your top traffic users are (host or service). Shows when you have ICMP storms and such too! ethereal - X-based sniffer tool that I *love* showing our network folks that think Network General is the only decent sniffer vendor. IMHO: BPF is one of the things I think Free/Net/OpenBSD do better than Linux. This was back in the old VAX BSD years ago when I worked at Tandy R&D and was interesting to read for fun and learning. I wanted it for Windows for years, but got it back with FreeBSD. Thanks bunches! - James To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9902021607340.13018-100000>