Is it safe to run tcpdump?
modulok at gmail.com
Sat Mar 5 18:47:20 UTC 2011
What do you mean by 'safe'?
The only side affects I can think of to running tcpdump on an
interface constantly, is the generation of large log files (if you
re-directed to log files) as well as the fact that it usually puts an
interface into 'promiscuous mode'. (See the -p flag.) This offloads
network traffic onto the cpu which could introduce additional network
latency for high throughput networks in some situations. (As far as
how much latency, if any, and whether it's actually a problem depends
on many factors. Test it.)
Other ways to generate network logs would be via the logging feature
of the PF firewall. You can setup specific rules to capture tcpdump
compatible logs and send them either to a log file or to a pseudo
network interface (the pflog device) for live viewing. There's a
chapter about this covered in Peter Hansteen's "The Book of PF".
On 3/5/11, erikmccaskey64 <erikmccaskey64 at zoho.com> wrote:
> Is it safe to always run tcpdump on the server, e.g.: like this:
> tcpdump -qn dst net 192.168.1.0/24
> I need it to "audit the network" .. :\
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions