'tcpdump -i any' equivalent for FreeBSD

[VVelox]

Any means of doing anything like 'tcpdump -i any' on FreeBSD? On Linux this grabs packets from all interfaces.

 

[balanga]

tcpdump()

 

[VVelox]

tcpdump()

This does nothing to answer the question as '-i any' is Linux specific and does not work on FreeBSD. Nor does the man page offer any solutions for this on FreeBSD.

The closest seems to be pflog or ipfw tee, but that is very suboptimal given it requires specifically configuring the firewall for it.

 

[Eric A. Borisch]

tcpdump()

Note that in tcpdump(1) it explicitly states (for -i):

On Linux systems with 2.2 or later kernels, an interface argu-
ment of ``any'' can be used to capture packets from all inter-
faces. Note that captures on the ``any'' device will not be
done in promiscuous mode.

So I’m assuming they read the manual. The follow-on question stands: is there a way to do something similar (perhaps with a different tool) on FreeBSD?

I could imagine a simple script that launches tcpdump for each up interface, but that’s not ideal.

 

[VVelox]

Note that in tcpdump(1) it explicitly states (for -i):



So I’m assuming they read the manual. The follow-on question stands: is there a way to do something similar (perhaps with a different tool) on FreeBSD?

I could imagine a simple script that launches tcpdump for each up interface, but that’s not ideal.

Doing it this way means you will get duplicate packets when it comes to like bridged interfaces.

The big question is there any good general purpose way to get the kernel to send you all the packets for like a specific BPF or the like.

As it currently stands all the answers seem to come with notable draw backs.

- pflog - requires PF, requires adding it to all rules
- ipfw tee - requires ipfw, not bad but it requires some one already be using ipfw
- deamonlogger - unmaintained... quiet literally dead upstream
- suricata - can't tell it to for example not log packets for TCP port 443, which for most FPC purposes just chew up disk space and all meaningful info will be in the suricata TLS log

 

[Eric A. Borisch]

Depending on just what OP is looking to do, dtrace’s TCP provider is likely worth a look.

Or perhaps dwatch(1)

 

[sko]

Although I couldn't think of a scenario where I don't know/want to know on which interface some traffic arrives or leaves the host; one could build something like a "match log (all) all" rule for PF and run tcpdump on pflog0.
However, on anything but a very silent dekstop this would be like drinking from a firehose... Also make sure to have enough space on /var/log for the gigantic pflog-file(s) this will generate in very short time.