ipfw2 logging through tcpdump ?
Simon L. Nielsen
simon at FreeBSD.org
Mon Sep 15 04:38:28 PDT 2003
On 2003.09.15 04:15:26 -0700, Luigi Rizzo wrote:
> It occurred to me that one way could be to extend the ipfw2
> "log" option to optionally pass to a bpf listener a copy of the packets
> selected by the ipfw rule (maybe with some tag showing the rule
> they come from) so that one can run a tcpdump on that stream when
> detailed analysis is required, and have essentially zero overhead in
> other cases.
I think it would be a very good idea. The current ipfw logging is
missing a lot of interesting metadata about the packets. I looked at
coding this some time ago, and while I did get a it working, it is a
mess since you have to do a lot of string manipulation in the kernel to
log the appropriate information. I think using a userland program to do
all the string magic is a lot better.
> Does this make sense ? And, any idea on how to tag the packet with
> a rule number in a way that tcpdump can filter (yes, i am looking
> for dirty hacks here...)
Have you looked at how IPFilter or OpenBSD's pf does this? I believe
they log packets using bpf/tcpdump (I might be wrong, I have never used
them).
--
Simon L. Nielsen
FreeBSD Documentation Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20030915/ed25f20b/attachment.bin
More information about the freebsd-ipfw
mailing list