From owner-freebsd-questions@FreeBSD.ORG Sat Mar 5 18:47:20 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7E7AC106566B for ; Sat, 5 Mar 2011 18:47:20 +0000 (UTC) (envelope-from modulok@gmail.com) Received: from mail-yi0-f54.google.com (mail-yi0-f54.google.com [209.85.218.54]) by mx1.freebsd.org (Postfix) with ESMTP id 3A92B8FC14 for ; Sat, 5 Mar 2011 18:47:19 +0000 (UTC) Received: by yie12 with SMTP id 12so1307054yie.13 for ; Sat, 05 Mar 2011 10:47:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=u8vFOJvc+oEN3EaYofkr8EI+k1mX11L8iP0JiVJCjkE=; b=xzD3yYgSuMM+9gZNvhx9nz0zcENomk4/g9ma7WyTHJGRBmpK7wErC4b7R1LYSz6trw AlpsbIfuWqnyyuhwP5EnizEs/WvFgHbwJYdKEKU4zjVVUWDjDw5my3TkQ1a8ulKTJszR 5V1lMiMQq7k8vOpOrqCWd3NcMfEsAjg8p7kq0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=quCqv0euLzMWEeJetJkBguBlQyJ5OxknKXeDL4xiFE29o+d0GufoKQHXUizhsXHJqb QPfSkS7HfmH+pDMep+CdTPSTu9gMIkaieVa5gMiFCvb4uEEg0Az2VYKThYqC6VFnRxXb ki6oOT9z7ywJzwDMP2vF7H/icCOAvNlVKKvCY= MIME-Version: 1.0 Received: by 10.90.145.15 with SMTP id s15mr2684053agd.145.1299350839401; Sat, 05 Mar 2011 10:47:19 -0800 (PST) Received: by 10.90.50.14 with HTTP; Sat, 5 Mar 2011 10:47:19 -0800 (PST) In-Reply-To: <12e85ece3b5.7517152619980667233.9119604654657332096@zoho.com> References: <12e85ece3b5.7517152619980667233.9119604654657332096@zoho.com> Date: Sat, 5 Mar 2011 11:47:19 -0700 Message-ID: From: Modulok To: erikmccaskey64 Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd Subject: Re: Is it safe to run tcpdump? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Mar 2011 18:47:20 -0000 What do you mean by 'safe'? The only side affects I can think of to running tcpdump on an interface constantly, is the generation of large log files (if you re-directed to log files) as well as the fact that it usually puts an interface into 'promiscuous mode'. (See the -p flag.) This offloads network traffic onto the cpu which could introduce additional network latency for high throughput networks in some situations. (As far as how much latency, if any, and whether it's actually a problem depends on many factors. Test it.) Other ways to generate network logs would be via the logging feature of the PF firewall. You can setup specific rules to capture tcpdump compatible logs and send them either to a log file or to a pseudo network interface (the pflog device) for live viewing. There's a chapter about this covered in Peter Hansteen's "The Book of PF". -Modulok- On 3/5/11, erikmccaskey64 wrote: > Is it safe to always run tcpdump on the server, e.g.: like this: > > > tcpdump -qn dst net 192.168.1.0/24 > > > I need it to "audit the network" .. :\ > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >