On Aug 1, 2023, at 7:57 PM, Zane C B-H <v.ve...@vvelox.net> wrote: > > On 2023-08-01 18:44, Mark Saad wrote: >>>> On Aug 1, 2023, at 4:39 PM, Zane C B-H <v.ve...@vvelox.net> wrote: >>> So what is a good way to get all packets passing through that the kernel >>> currently sees? Apparently any is not support on non-Linux systems and >>> pflog would require adding log to all rules. Similarly only logs packets >>> that match a rule. >> Just run tcpdump without the -i , iirc this will dump everything. > > Nope. This just runs it on the first interface it finds. > > - pflog - requires PF, requires adding it to all rules > - ipfw tee - requires ipfw, not bad but it requires some one already be using > ipfw > - deamonlogger - unmaintained... quiet literally dead upstream > - suricata - can't tell it to for example not log packets for TCP port 443, > which for most FPC purposes just chew up disk space and all meaningful info > will be in the suricata TLS log > > Now as to the question of firing up multiple instances of tcpdump, this means > that you will have duplicate packets where bridges are involved.
I haven’t tried it personally but maybe with Netgraph you can make a tap of all of this ? What is your goal ? --- Mark Saad | nones...@longcount.org
