Re: native recording of all network connections on freebsd
> On 28 Dec 2022, at 15:28, Sami Halabi wrote: > > using firewall ike ipfw with rule to log any to any would be a start.. for > advanced use, stateful fw so You can log start of connections I would also consider using ng_netflow(4) with, for example, nfsend or even logstash with netflow input module (and stored into elastic indexes), visualized by kibana or other tools. — Juraj Lutter o...@freebsd.org
Re: native recording of all network connections on freebsd
W dniu 29.12.2022 o 02:58, Damjan Jovanovic pisze: On Wed, Dec 28, 2022 at 4:21 PM Dan Mack wrote: I'm wondering if anyone can help point me at a good way to continously capture every inbound and outbound connection made to a freebsd system. I'd prefer a way that is native in base if possible. I don't really want to record all the packets, just the src:dest:rport:dport stats. Happy to RTFM as well, Dan Another possibility is to enable Netflow in ipfw (there is an ipfw_netflow service), which submits periodic reports of all connections made and their data usage, and then collect and process the Netflow data using a Netflow server. Or develop a custom Netgraph service that examines packets and logs connections. This would even work in the absence of any firewall. Such a node exists: ng_netflow(4) and works flawlessly. -- Marek Zarychta
Re: native recording of all network connections on freebsd
On Dec 28, 2022, at 6:21 AM, Dan Mack wrote:
>
> I'm wondering if anyone can help point me at a good way to continously
> capture every inbound and outbound connection made to a freebsd system. I'd
> prefer a way that is native in base if possible. I don't really want to
> record all the packets, just the src:dest:rport:dport stats.
I'd build a simple program using pcap(3), and compile a bpf program
using pcap_compile and then do pcap_setfilter to capture just the
packets I want. Then save the desired fields from captured packets
(and use a hashtable if just {src,dst}{ip,port} are wanted). There
are online examples one can start from.
Re: native recording of all network connections on freebsd
On Wed, Dec 28, 2022 at 4:21 PM Dan Mack wrote: > > I'm wondering if anyone can help point me at a good way to continously > capture every inbound and outbound connection made to a freebsd system. > I'd prefer a way that is native in base if possible. I don't really want > to record all the packets, just the src:dest:rport:dport stats. > > Happy to RTFM as well, > > Dan > > Another possibility is to enable Netflow in ipfw (there is an ipfw_netflow service), which submits periodic reports of all connections made and their data usage, and then collect and process the Netflow data using a Netflow server. Or develop a custom Netgraph service that examines packets and logs connections. This would even work in the absence of any firewall. Damjan
Re: native recording of all network connections on freebsd
Dan Mack writes: > I'm wondering if anyone can help point me at a good way to continously > capture every inbound and outbound connection made to a freebsd system. Assuming "connection" means "log every TCP connection setup" probably the quickest way is to tcpdump every TCP packet with both SYN and ACK set. That will log one packet for every TCP connection that is established with the system. It won't capture anything for connection attempts that fail. If you want that as well, just log everything with SYN set. If you do the latter you will also collect the background noise from people port scanning you and attempting other nefarious deeds. --lyndon
Re: native recording of all network connections on freebsd
Thank you, Oh how dumb I am - I'll just have pf do it using 'log all'. Dan On Wed, 28 Dec 2022, Sami Halabi wrote: using firewall ike ipfw with rule to log any to any would be a start.. for advanced use, stateful fw so You can log start of connections ?? ??? ??, 28 ? 2022, 16:21, ??? Dan Mack ?: I'm wondering if anyone can help point me at a good way to continously capture every inbound and outbound connection made to a freebsd system. I'd prefer a way that is native in base if possible. I don't really want to record all the packets, just the src:dest:rport:dport stats. Happy to RTFM as well, Dan
Re: native recording of all network connections on freebsd
using firewall ike ipfw with rule to log any to any would be a start.. for advanced use, stateful fw so You can log start of connections בתאריך יום ד׳, 28 בדצמ׳ 2022, 16:21, מאת Dan Mack : > > I'm wondering if anyone can help point me at a good way to continously > capture every inbound and outbound connection made to a freebsd system. > I'd prefer a way that is native in base if possible. I don't really want > to record all the packets, just the src:dest:rport:dport stats. > > Happy to RTFM as well, > > Dan > >
native recording of all network connections on freebsd
I'm wondering if anyone can help point me at a good way to continously capture every inbound and outbound connection made to a freebsd system. I'd prefer a way that is native in base if possible. I don't really want to record all the packets, just the src:dest:rport:dport stats. Happy to RTFM as well, Dan
