Date: Mon, 29 Jan 2007 20:55:11 +0200 From: "Vlad GALU" <dudu@dudu.ro> To: "Victor Loureiro Lima" <victorloureirolima@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: Interface security considerations Message-ID: <ad79ad6b0701291055t1f078beeid79390f7c05056d3@mail.gmail.com> In-Reply-To: <ac00e00a0701291004s646a137cr9b1103f56e887ecf@mail.gmail.com> References: <ac00e00a0701291004s646a137cr9b1103f56e887ecf@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/29/07, Victor Loureiro Lima <victorloureirolima@gmail.com> wrote: > Hello -net@, > > A question came into my mind a few days > ago while I was coding some application using > libpcap on freebsd: > - Whats the best way to determine if an application > is listening on an interface and sniffing packets that > goes through it? I've seen that a couple of process > that are using libpcap can be traced back to open file > descriptors to /dev/bpfX files using fstat(1), even with > sockstat(1) I can figure out that a certain process has > an open "something" and further investigate it, but I was > wondering whats the common practice for freebsd users > finding out this sort of thing? See ports/net/bpfstat. BPF already exposes that info to the userspace programs. > - While I was trying to figure out which process was > listening on a certain interfaces an idea for a patch in > sys/net/bpf.c functions bpf_open() and bpf_close() that > would simply printf(9) the PID (d->bd_pid = td->td_proc->p_pid;) > of a process that was trying to open the BPF device, while > it was a simple patch, I am not sure if using the BPF device > is the only possible way to sniff the packets from an > interface, I know that linux implement sock_packet, and > some systems have DLPI, just to get things straight, > If an application wants to be able to sniff packets on a interface > the only possible way (without messing with kernel at all) is > using the BPF interface or are there other ways (even if they > are not portable out of FreeBSD at all) of doing this? No, there aren't any other interfaces. Unless you modify the ether_input() routine. And BPF is the most portable method in use nowadays. > - Is "device bpf" enabled by default on GENERIC kernel? Yes. > Thanks in advance, > Victor Loureiro Lima > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ad79ad6b0701291055t1f078beeid79390f7c05056d3>