Date: Mon, 29 Jan 2007 16:04:35 -0200 From: "Victor Loureiro Lima" <victorloureirolima@gmail.com> To: freebsd-net@freebsd.org Subject: Interface security considerations Message-ID: <ac00e00a0701291004s646a137cr9b1103f56e887ecf@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello -net@, A question came into my mind a few days ago while I was coding some application using libpcap on freebsd: - Whats the best way to determine if an application is listening on an interface and sniffing packets that goes through it? I've seen that a couple of process that are using libpcap can be traced back to open file descriptors to /dev/bpfX files using fstat(1), even with sockstat(1) I can figure out that a certain process has an open "something" and further investigate it, but I was wondering whats the common practice for freebsd users finding out this sort of thing? - While I was trying to figure out which process was listening on a certain interfaces an idea for a patch in sys/net/bpf.c functions bpf_open() and bpf_close() that would simply printf(9) the PID (d->bd_pid = td->td_proc->p_pid;) of a process that was trying to open the BPF device, while it was a simple patch, I am not sure if using the BPF device is the only possible way to sniff the packets from an interface, I know that linux implement sock_packet, and some systems have DLPI, just to get things straight, If an application wants to be able to sniff packets on a interface the only possible way (without messing with kernel at all) is using the BPF interface or are there other ways (even if they are not portable out of FreeBSD at all) of doing this? - Is "device bpf" enabled by default on GENERIC kernel? Thanks in advance, Victor Loureiro Lima
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ac00e00a0701291004s646a137cr9b1103f56e887ecf>