From owner-freebsd-security  Tue Feb  2 14:35:45 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA18132
          for freebsd-security-outgoing; Tue, 2 Feb 1999 14:35:45 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA18119
          for <security@FreeBSD.ORG>; Tue, 2 Feb 1999 14:35:37 -0800 (PST)
          (envelope-from jwyatt@RWSystems.net)
Received: from kasie.rwsystems.net([209.197.192.103]) (2361 bytes) by host07.rwsystems.net
	via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp
	(sender: <jwyatt@RWSystems.net>) 
	id <m107oB4-000bxiC@host07.rwsystems.net>
	for <security@FreeBSD.ORG>; Tue, 2 Feb 1999 16:20:14 -0600 (CST)
	(Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24)
Date: Tue, 2 Feb 1999 16:20:13 -0600 (CST)
From: James Wyatt <jwyatt@RWSystems.net>
To: Bill Woodford <woodford@cc181716-a.hwrd1.md.home.com>
cc: ML FreeBSD Security <security@FreeBSD.ORG>
Subject: Re: tcpdump
In-Reply-To: <19990202153458.A1152@cc181716-a.hwrd1.md.home.com>
Message-ID: <Pine.BSF.4.05.9902021607340.13018-100000@kasie.rwsystems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 2 Feb 1999, Bill Woodford wrote:
	[ ... ]
> watch out for.  However, when I run tcpdump (as root), it gives me:
> 
> tcpdump: /dev/bpf0: Device not configured
> 
> I did a little reading, and realize it's possible that my NIC may not
> support it (it's a 3com 3c509 combo), but how would one tell.  Can anyone

I have not used an ISA/PCI card yet that doesn't support BPF... It is an
invaluable tool around here and even better on a laptop for travelling!

Don't forget to:
	1. Build a bpf device into the kernel config file like so:
		pseudo-device   bpfilter    1       #Berkeley packet filter
	2. Make the device like so:
		cd /dev
		./MAKEDEV bpf0
	3. Watch for syslog messages showing when it is used like:
		de0: promiscuous mode enabled

Don't make more BPFs than you need (usually 1) and leave tcpdump running
to lock it. If someone gets in and gets rootly, they can use it to sniff
passwords, discover VPN links, view IPX and SNA traffic as well as TCP,
and all manner of evil investigation...

Other executables you may want to build and use on BPF include:
	trafshow - curses-based dynamic traffic list. Shows who your top
		traffic users are (host or service). Shows when you have
		ICMP storms and such too!
	ethereal - X-based sniffer tool that I *love* showing our network
		folks that think Network General is the only decent
		sniffer vendor.

IMHO: BPF is one of the things I think Free/Net/OpenBSD do better than
Linux. This was back in the old VAX BSD years ago when I worked at Tandy
R&D and was interesting to read for fun and learning. I wanted it for
Windows for years, but got it back with FreeBSD. Thanks bunches! - James


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message