On 2023-08-01 18:44, Mark Saad wrote:
On Aug 1, 2023, at 4:39 PM, Zane C B-H <v.ve...@vvelox.net> wrote:
So what is a good way to get all packets passing through that the
kernel currently sees? Apparently any is not support on non-Linux
systems and pflog would require adding log to all rules. Similarly
only logs packets that match a rule.
Just run tcpdump without the -i , iirc this will dump everything.
Nope. This just runs it on the first interface it finds.
- pflog - requires PF, requires adding it to all rules
- ipfw tee - requires ipfw, not bad but it requires some one already be
using ipfw
- deamonlogger - unmaintained... quiet literally dead upstream
- suricata - can't tell it to for example not log packets for TCP port
443, which for most FPC purposes just chew up disk space and all
meaningful info will be in the suricata TLS log
Now as to the question of firing up multiple instances of tcpdump, this
means that you will have duplicate packets where bridges are involved.
