From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 15 04:38:28 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6154216A4BF for ; Mon, 15 Sep 2003 04:38:28 -0700 (PDT) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id A826E43FCB for ; Mon, 15 Sep 2003 04:38:27 -0700 (PDT) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id E6EFB10BFAA; Mon, 15 Sep 2003 13:38:25 +0200 (CEST) Date: Mon, 15 Sep 2003 13:38:25 +0200 From: "Simon L. Nielsen" To: Luigi Rizzo Message-ID: <20030915113824.GB393@FreeBSD.org> References: <20030915041525.B77950@xorpc.icir.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="8P1HSweYDcXXzwPJ" Content-Disposition: inline In-Reply-To: <20030915041525.B77950@xorpc.icir.org> User-Agent: Mutt/1.5.4i cc: ipfw@freebsd.org Subject: Re: ipfw2 logging through tcpdump ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 11:38:28 -0000 --8P1HSweYDcXXzwPJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.09.15 04:15:26 -0700, Luigi Rizzo wrote: > It occurred to me that one way could be to extend the ipfw2 > "log" option to optionally pass to a bpf listener a copy of the packets > selected by the ipfw rule (maybe with some tag showing the rule > they come from) so that one can run a tcpdump on that stream when > detailed analysis is required, and have essentially zero overhead in > other cases. I think it would be a very good idea. The current ipfw logging is missing a lot of interesting metadata about the packets. I looked at coding this some time ago, and while I did get a it working, it is a mess since you have to do a lot of string manipulation in the kernel to log the appropriate information. I think using a userland program to do all the string magic is a lot better. > Does this make sense ? And, any idea on how to tag the packet with > a rule number in a way that tcpdump can filter (yes, i am looking > for dirty hacks here...) Have you looked at how IPFilter or OpenBSD's pf does this? I believe they log packets using bpf/tcpdump (I might be wrong, I have never used them). --=20 Simon L. Nielsen FreeBSD Documentation Team --8P1HSweYDcXXzwPJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/ZaSwh9pcDSc1mlERAooEAJ9NfTKpKC+FOcaLICxc5ABynFDWnQCfeXAl tpYVKmGB3BPxL+GtamR9vTk= =K6B/ -----END PGP SIGNATURE----- --8P1HSweYDcXXzwPJ--