From nobody Tue Aug 01 23:56:58 2023 X-Original-To: net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RFsVF0qzsz4q1gJ for ; Tue, 1 Aug 2023 23:57:07 +0000 (UTC) (envelope-from v.velox@vvelox.net) Received: from vulpes.vvelox.net (vulpes.vvelox.net [98.102.84.2]) by mx1.freebsd.org (Postfix) with ESMTP id 4RFsTt4xmgz3mts for ; Tue, 1 Aug 2023 23:57:06 +0000 (UTC) (envelope-from v.velox@vvelox.net) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of v.velox@vvelox.net designates 98.102.84.2 as permitted sender) smtp.mailfrom=v.velox@vvelox.net; dmarc=none Received: from vvelox.net (localhost [127.0.0.1]) (Authenticated sender: kitsune) by vulpes.vvelox.net (Postfix) with ESMTPA id 1DB5CAC6CA5; Tue, 1 Aug 2023 18:56:58 -0500 (CDT) List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 Date: Tue, 01 Aug 2023 18:56:58 -0500 From: Zane C B-H To: Mark Saad Cc: net@freebsd.org Subject: Re: Is there a FreeBSD equivalent of 'tcpdump -i any' from Linux? In-Reply-To: References: <826851ce2108b23515f81a8aca8d9b0e@vvelox.net> Message-ID: X-Sender: v.velox@vvelox.net Organization: v.velox@vvelox.net Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Result: default: False [-2.17 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.97)[-0.966]; R_SPF_ALLOW(-0.20)[+ip4:98.102.84.2/32]; RCVD_NO_TLS_LAST(0.10)[]; MIME_GOOD(-0.10)[text/plain]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:10796, ipnet:98.102.80.0/20, country:US]; MLMMJ_DEST(0.00)[net@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_DN_SOME(0.00)[]; HAS_ORG_HEADER(0.00)[]; DMARC_NA(0.00)[vvelox.net]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4RFsTt4xmgz3mts X-Spamd-Bar: -- On 2023-08-01 18:44, Mark Saad wrote: >> >> On Aug 1, 2023, at 4:39 PM, Zane C B-H wrote: >> >> So what is a good way to get all packets passing through that the >> kernel currently sees? Apparently any is not support on non-Linux >> systems and pflog would require adding log to all rules. Similarly >> only logs packets that match a rule. >> > > Just run tcpdump without the -i , iirc this will dump everything. Nope. This just runs it on the first interface it finds. - pflog - requires PF, requires adding it to all rules - ipfw tee - requires ipfw, not bad but it requires some one already be using ipfw - deamonlogger - unmaintained... quiet literally dead upstream - suricata - can't tell it to for example not log packets for TCP port 443, which for most FPC purposes just chew up disk space and all meaningful info will be in the suricata TLS log Now as to the question of firing up multiple instances of tcpdump, this means that you will have duplicate packets where bridges are involved.