Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 5 Mar 2011 11:47:19 -0700
From:      Modulok <modulok@gmail.com>
To:        erikmccaskey64 <erikmccaskey64@zoho.com>
Cc:        freebsd <freebsd-questions@freebsd.org>
Subject:   Re: Is it safe to run tcpdump?
Message-ID:  <AANLkTim8-1uF5fJtNJ7OzXBULRO0k4M-OwpuGnt29_bf@mail.gmail.com>
In-Reply-To: <12e85ece3b5.7517152619980667233.9119604654657332096@zoho.com>
References:  <12e85ece3b5.7517152619980667233.9119604654657332096@zoho.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
What do you mean by 'safe'?

The only side affects I can think of to running tcpdump on an
interface constantly, is the generation of large log files (if you
re-directed to log files) as well as the fact that it usually puts an
interface into 'promiscuous mode'. (See the -p flag.) This offloads
network traffic onto the cpu which could introduce additional network
latency for high throughput networks in some situations. (As far as
how much latency, if any, and whether it's actually a problem depends
on many factors. Test it.)

Other ways to generate network logs would be via the logging feature
of the PF firewall. You can setup specific rules to capture tcpdump
compatible logs and send them either to a log file or to a pseudo
network interface (the pflog device) for live viewing. There's a
chapter about this covered in Peter Hansteen's "The Book of PF".

-Modulok-


On 3/5/11, erikmccaskey64 <erikmccaskey64@zoho.com> wrote:
> Is it safe to always run tcpdump on the server, e.g.: like this:
>
>
> tcpdump -qn dst net 192.168.1.0/24
>
>
> I need it to "audit the network" .. :\
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?AANLkTim8-1uF5fJtNJ7OzXBULRO0k4M-OwpuGnt29_bf>