Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 15 Sep 2003 13:38:25 +0200
From:      "Simon L. Nielsen" <simon@FreeBSD.org>
To:        Luigi Rizzo <rizzo@icir.org>
Cc:        ipfw@freebsd.org
Subject:   Re: ipfw2 logging through tcpdump ?
Message-ID:  <20030915113824.GB393@FreeBSD.org>
In-Reply-To: <20030915041525.B77950@xorpc.icir.org>
References:  <20030915041525.B77950@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

--8P1HSweYDcXXzwPJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2003.09.15 04:15:26 -0700, Luigi Rizzo wrote:

> It occurred to me that one way could be to extend the ipfw2
> "log" option to optionally pass to a bpf listener a copy of the packets
> selected by the ipfw rule (maybe with some tag showing the rule
> they come from) so that one can run a tcpdump on that stream when
> detailed analysis is required, and have essentially zero overhead in
> other cases.

I think it would be a very good idea.  The current ipfw logging is
missing a lot of interesting metadata about the packets.  I looked at
coding this some time ago, and while I did get a it working, it is a
mess since you have to do a lot of string manipulation in the kernel to
log the appropriate information.  I think using a userland program to do
all the string magic is a lot better.

> Does this make sense ? And, any idea on how to tag the packet with
> a rule number in a way that tcpdump can filter (yes, i am looking
> for dirty hacks here...)

Have you looked at how IPFilter or OpenBSD's pf does this?  I believe
they log packets using bpf/tcpdump (I might be wrong, I have never used
them).

--=20
Simon L. Nielsen
FreeBSD Documentation Team

--8P1HSweYDcXXzwPJ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/ZaSwh9pcDSc1mlERAooEAJ9NfTKpKC+FOcaLICxc5ABynFDWnQCfeXAl
tpYVKmGB3BPxL+GtamR9vTk=
=K6B/
-----END PGP SIGNATURE-----

--8P1HSweYDcXXzwPJ--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030915113824.GB393>