Kevin Wilcox kevin.wilcox at
Wed Jan 5 18:44:59 UTC 2011

On 5 January 2011 13:25, David Brodbeck <gull at> wrote:

> On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox <kevin.wilcox at> wrote:

>> To really see what your machine is doing, consider taking a look at
>> the network flows. pfflowd, netflowd, ipaudit and a host of others can
>> get you flow data with mostly minimal overhead.

> Also, keep in mind that depending on how badly the machine has been
> compromised, you may not be able to trust the output of utilities
> running on the machine itself.  You may have to resort to capturing
> its network traffic on another machine for analysis.

That's an excellent point. A span port from the upstream switch/router
would be ideal unless you've verified, through mechanisms external to
the machine (known good test media), the tools on that machine are


More information about the freebsd-questions mailing list