Date: Mon, 15 Sep 2003 13:38:25 +0200 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Luigi Rizzo <rizzo@icir.org> Cc: ipfw@freebsd.org Subject: Re: ipfw2 logging through tcpdump ? Message-ID: <20030915113824.GB393@FreeBSD.org> In-Reply-To: <20030915041525.B77950@xorpc.icir.org> References: <20030915041525.B77950@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--8P1HSweYDcXXzwPJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.09.15 04:15:26 -0700, Luigi Rizzo wrote: > It occurred to me that one way could be to extend the ipfw2 > "log" option to optionally pass to a bpf listener a copy of the packets > selected by the ipfw rule (maybe with some tag showing the rule > they come from) so that one can run a tcpdump on that stream when > detailed analysis is required, and have essentially zero overhead in > other cases. I think it would be a very good idea. The current ipfw logging is missing a lot of interesting metadata about the packets. I looked at coding this some time ago, and while I did get a it working, it is a mess since you have to do a lot of string manipulation in the kernel to log the appropriate information. I think using a userland program to do all the string magic is a lot better. > Does this make sense ? And, any idea on how to tag the packet with > a rule number in a way that tcpdump can filter (yes, i am looking > for dirty hacks here...) Have you looked at how IPFilter or OpenBSD's pf does this? I believe they log packets using bpf/tcpdump (I might be wrong, I have never used them). --=20 Simon L. Nielsen FreeBSD Documentation Team --8P1HSweYDcXXzwPJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/ZaSwh9pcDSc1mlERAooEAJ9NfTKpKC+FOcaLICxc5ABynFDWnQCfeXAl tpYVKmGB3BPxL+GtamR9vTk= =K6B/ -----END PGP SIGNATURE----- --8P1HSweYDcXXzwPJ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030915113824.GB393>