Date: Tue, 01 Aug 2023 18:56:58 -0500 From: Zane C B-H <v.velox@vvelox.net> To: Mark Saad <nonesuch@longcount.org> Cc: net@freebsd.org Subject: Re: Is there a FreeBSD equivalent of 'tcpdump -i any' from Linux? Message-ID: <cb86f295fd30f94b57aaebb3ed8d6351@vvelox.net> In-Reply-To: <E41F5105-BDA6-43C2-A7C8-028893D6CEB7@longcount.org> References: <826851ce2108b23515f81a8aca8d9b0e@vvelox.net> <E41F5105-BDA6-43C2-A7C8-028893D6CEB7@longcount.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2023-08-01 18:44, Mark Saad wrote: >> >> On Aug 1, 2023, at 4:39 PM, Zane C B-H <v.velox@vvelox.net> wrote: >> >> So what is a good way to get all packets passing through that the >> kernel currently sees? Apparently any is not support on non-Linux >> systems and pflog would require adding log to all rules. Similarly >> only logs packets that match a rule. >> > > Just run tcpdump without the -i , iirc this will dump everything. Nope. This just runs it on the first interface it finds. - pflog - requires PF, requires adding it to all rules - ipfw tee - requires ipfw, not bad but it requires some one already be using ipfw - deamonlogger - unmaintained... quiet literally dead upstream - suricata - can't tell it to for example not log packets for TCP port 443, which for most FPC purposes just chew up disk space and all meaningful info will be in the suricata TLS log Now as to the question of firing up multiple instances of tcpdump, this means that you will have duplicate packets where bridges are involved.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb86f295fd30f94b57aaebb3ed8d6351>