Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 9 Aug 2001 23:58:47 -0600 (CST)
From:      Ryan Thompson <ryan@sasknow.com>
To:        Wing Tim <twchim1@hotmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Snoop configuration
Message-ID:  <Pine.BSF.4.21.0108092336360.33792-100000@ren.sasknow.com>
In-Reply-To: <F71XfENIdel83bR4pA6000040e8@hotmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Wing Tim wrote to ryan@sasknow.com:

> Hi, Ryan,
>   Thank you very much for your reply! Then can I still use the snoop 
> protocol in FreeBSD with tcpdump? That is, can I snoop data going to a 
> particular interface?
>   Thanks!

Yes, but in FreeBSD, this is done with the Berkeley Packet Filter (bpf).
See bpf(4) for a background, but, in particular, see tcpdump(1).

- Ryan


> Regards,
> Wing
> 
> 
> 
> >From: Ryan Thompson <ryan@sasknow.com>
> >To: Wing Tim <twchim1@hotmail.com>
> >CC: freebsd-questions@freebsd.org
> >Subject: Re: Snoop configuration
> >Date: Thu, 9 Aug 2001 23:06:51 -0600 (CST)
> >
> >Wing Tim wrote to ryan@sasknow.com:
> >
> > > Hi, Ryan,
> > >
> > >   My computer that has FreeBSD installed has 2 ethernet card - one
> > > connects to the Internet and the other connects to a WaveLAN
> > > transmitter. Can I treat this WaveLAN transmitter as a tty and
> > > snoop the data onto it?
> >
> >No. snp(4) devices are especially designed for watching ttys.
> >
> >If you want to monitor raw network traffic, tcpdump(1) is what you want.
> >(I believe that was suggested earlier in this thread, but, for some
> >reason, it seemed like you wanted to watch ttys).
> >
> >Running tcpdump(1) puts the specified network interface into promiscuous
> >mode, which allows the kernel to grab the transmitted packets. tcpdump(1)
> >has several options to control, filter, and format its output, but, the
> >basic syntax of it is:
> >
> >	tcpdump -i /dev/eth0
> >
> >Where "eth0" is the device name of your network interface card. Run
> >ifconfig -a to get the device names of your network cards if you aren't
> >sure.
> >
> >You will want to read the man page for tcpdump to fine tune it to output
> >the data that you want. Myself, and others on this list can probably help
> >you to control the output of tcpdump, if we know exactly what you need
> >displayed.
> >
> >
> >So, again, in short...
> >
> >If you want to watch terminals, to see what shell users are doing on your
> >machine (this has plenty of uses.. technical support, troubleshooting,
> >monitoring), then you want to use snp(4) and watch(8).
> >
> >If, on the other hand, you want to monitor network traffic (identifying
> >network attacks, verifying firewall functionality, troubleshooting network
> >services, looking at physical packet flow, etc), then tcpdump(1) is the
> >answer.
> >
> >
> > >   Thanks!
> >
> >
> >
> >
> >
> > >
> > > Regards,
> > > Wing
> > >
> > >
> > >
> > > >From: Ryan Thompson <ryan@sasknow.com>
> > > >To: Wing Tim <twchim1@hotmail.com>
> > > >CC: alex@big-blue.net, bwatts@corp.netcom.ca, 
> >freebsd-questions@FreeBSD.ORG
> > > >Subject: Re: Snoop configuration
> > > >Date: Thu, 9 Aug 2001 21:54:43 -0600 (CST)
> > > >
> > > >Wing Tim wrote to alex@big-blue.net:
> > > >
> > > > > Hi,
> > > > >   Thank you very much! The snoop has started in my machine.
> > > > >   After typing "sh MAKEDEV snp0", it asked me to enter a device 
> >name,
> > > >what
> > > > > should I input? I input "snp0" but the error "watch: fatal: cannot
> > > >attach to
> > > > > tty" occurs. What does that "device name" mean actually? Is that the
> > > >device
> > > > > that buffers data?
> > > > >   By the way, according to my understanding, snoop protocol is 
> >something
> > > > > that buffering data in a certain device. Does snoop in FreeBSD have
> > > >similar
> > > > > function?
> > > >
> > > >
> > > >Hi Wing,
> > > >
> > > >Now that you've got the devices created, you need to tell watch(8) 
> >which
> > > >tty you want to snoop on. It helps if you run the command "who" (or
> > > >"finger", or "w" if you prefer), to see who is on-line, and on which 
> >ttys.
> > > >
> > > >root# who
> > > >root             ttyv0   Aug  8 12:03
> > > >ryan             ttyv1   Aug  8 10:09
> > > >ryan             ttyv3   Jul 27 10:41
> > > >darren		 ttyp0   Aug  7 13:31
> > > >wayne            ttyp1   Aug  5 17:43
> > > >
> > > >If you want to snoop on darren, who is logged on to "ttyp0", just enter
> > > >"ttyp0" as the device to snoop in watch(8):
> > > >
> > > >root# watch ttyp0
> > > >
> > > >
> > > >
> > > > >   Thanks!
> > > > >
> > > > > Regards,
> > > > > Wing
> > > >
> > > >--
> > > >   Ryan Thompson <ryan@sasknow.com>
> > > >   Network Administrator, Accounts
> > > >
> > > >   SaskNow Technologies - http://www.sasknow.com
> > > >   #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2
> > > >
> > > >         Tel: 306-664-3600   Fax: 306-664-1161   Saskatoon
> > > >   Toll-Free: 877-727-5669     (877-SASKNOW)     North America
> > > >
> > > >
> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > >with "unsubscribe freebsd-questions" in the body of the message
> > >
> > >
> > > _________________________________________________________________
> > > Get your FREE download of MSN Explorer at 
> >http://explorer.msn.com/intl.asp
> > >
> > >
> >
> >--
> >   Ryan Thompson <ryan@sasknow.com>
> >   Network Administrator, Accounts
> >
> >   SaskNow Technologies - http://www.sasknow.com
> >   #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2
> >
> >         Tel: 306-664-3600   Fax: 306-664-1161   Saskatoon
> >   Toll-Free: 877-727-5669     (877-SASKNOW)     North America
> >
> >
> >To Unsubscribe: send mail to majordomo@FreeBSD.org
> >with "unsubscribe freebsd-questions" in the body of the message
> 
> 
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
> 
> 

-- 
  Ryan Thompson <ryan@sasknow.com>
  Network Administrator, Accounts

  SaskNow Technologies - http://www.sasknow.com
  #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2

        Tel: 306-664-3600   Fax: 306-664-1161   Saskatoon
  Toll-Free: 877-727-5669     (877-SASKNOW)     North America


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0108092336360.33792-100000>