Re[2]: tcpdump filter for out/in traffic
Zdravstvujte, matt.
Vy pisali 4 yanvarya 2009 g., 22:23:16:
On Sun, Jan 4, 2009 at 10:56 AM, Eugene Grosbein [1]eu...@kuzbass.ru
wrote:
On Sun, Jan 04, 2009 at 04:05:00PM +0200, KES wrote:
There will be very usefull to have options for tcpdump to monitor
incomint or outgoing traffic regardless of src/dst IPs or ports or
protocol
For example:
kes# tcpdump -n -i rl4 out
EXPECTED: show traffic outgoing on rl4
ACTUAL: tcpdump: syntax error
kes# tcpdump -n -i rl4 in
EXPECTED: show traffic incoming on rl4
ACTUAL: tcpdump: syntax error
Hi!
I use following trick for that:
tcpdump -n -p -i rl4 ether src me-rl4 # for outgoing
tcpdump -n -p -i tl4 not ether src me-rl4 # for incoming
And add MAC-address of rl4 to /etc/ethers with name 'me-rl4'
or just 'me' if you need not watch other interfaces this way.
Eugene Grosbein
___
[2]freebsd-hack...@freebsd.org mailing list
[3]http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to
[4]freebsd-hackers-unsubscr...@freebsd.org
don't even need an option you just have to filter the traffic
correctly using tcpdump which Eugene already point out
tcpdump -n -p -i rl4 ether src me-rl4 # for outgoing
tcpdump -n -p -i tl4 not ether src me-rl4 # for incoming
That will not help
I can not add ether because of this is PPPoE interface.
I can not use 'me' because of I need to view going through traffic. It
is not originated from 'me'.
For example I have mpd5. I set up PPPoE connection with my ISP. (ng0)
I have VPN server for LAN users it also mpd5 (ng1 ng2 ng3 etc)
I do NAT with MPD.
so when I do tcpdump -n -i ng0 I get:
18:52:11.781281 IP 192.168.5.11.2348 95.57.143.109.64350: P
1853247053:1853247057(4) ack 1650009540 win 17080
18:52:11.783777 IP 81.19.80.166.80 192.168.4.5.2839: .
11790:13150(1360) ack 0 win 65535
18:52:11.784218 IP 192.168.4.9.3298 82.144.223.61.80: . ack 21761
win 17680
18:52:11.787732 IP 81.19.80.166.80 192.168.4.5.2839: .
13150:14510(1360) ack 0 win 65535
18:52:11.789122 IP 192.168.5.15.2903 89.178.118.23.16562: .
13601:14961(1360) ack 0 win 16659
18:52:11.790065 IP 192.168.5.15.1386 78.106.215.39.18155: . ack
18981 win 17680
18:52:11.791181 IP 192.168.5.15.1311 79.174.64.193.80: . ack 5441
win 17680
18:52:11.791889 IP 81.19.80.166.80 192.168.4.5.2839: .
14510:15870(1360) ack 0 win 65535
18:52:11.792176 IP 192.168.5.15.4969 87.241.174.129.41954: . ack 18
win 16635
18:52:11.792200 IP 192.168.8.13.1616 217.20.174.228.80: . ack 1361
win65535 nop,nop,sack 1 {4081:6801}
So 'in/out' ouptions will help.
--
S uvazheniem,
KES [5]mailto:kes-...@yandex.ru
References
1. mailto:eu...@kuzbass.ru
2. mailto:freebsd-hackers@freebsd.org
3. http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
4. mailto:freebsd-hackers-unsubscr...@freebsd.org
5. mailto:kes-...@yandex.ru
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: tcpdump filter for out/in traffic
Daniel O'Connor docon...@gsoft.com.au writes: I think it's more a question for the tcpdump maintainers. tcpdump does not parse the filter expression, it just passes it along to libpcap. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: FreeBSD kernel Debugging tools for Virtual Memory Module
Eugene Grosbein eu...@kuzbass.ru writes: First, you need to recompile source you change for sure :-) But you have not rebuild all other files all the time. You need to add to your /etc/src.conf (or /etc/make.conf for 6.x and earlier): MODULES_WITH_WORLD=yes This will skip rebuilding of all modules during 'make buildkernel' but you MUST to copy all modules from /boot/kernel to /boot/modules (all files other than /boot/kernel/kernel*) if you do this. What is the point, if you use NO_KERNELCLEAN as recommended below? The modules won't be rebuilt either unless something that affects them has changed. Running a new kernel with old modules is a great way to shoot yourself in the foot. If you absolutely want to skip modules, build your kernel with -DNO_MODULES, but install it normally, or use reinstallkernel instead of installkernel. The latter will overwrite your running kernel - but you should keep an unmodified kernel around anyway. You can boot entirely without modules if you include everything you need (including acpi) in your kernel config. Then, if you do not change kernel config file, recompile your changes with command (only second time and then): cd /usr/src; make NO_KERNELDEPEND=yes NO_KERNELCLEAN=yes buildkernel You should not use -DNO_KERNELDEPEND unless you know for sure that no #include directives have been added or removed and no kernel options have changed. It is safe to use -DNO_KERNELCLEAN, but not -DNO_KERNELDEPEND, even if your config file changed. Second, you should use some kind of virtual machine (like qemu from ports) to speedup your development cycle even more: install the system into virtual machine and you'll need not another box to debug the kernel and need not rebuild your development box. Test your changes with the system installed into VM and reboot it only. Use ddb or kgdb already noted here. The best solution by far is to use actual hardware and netboot from your development machine. It's easy to set up, and you don't lose context every time you reboot the test system. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
