ikev2 configuration on per-user basis with different policies
Hello, I configured an Openbsd system as a VPN server with IKEV2. It works great but I'd like to use a configuration with different policies on per-user basis. The clients connect from dynamic ip. Does anybody have any hint or alternative? thanks 😊
tcpdump rotating issue with newsyslog
Good Evening Community, I am running the following command in the OpenBSD 6.2. *"tcpdump -Nneqt -w tcpdump.pcap -i vic0 &"* and using the following newsyslog.conf entry for rotating the tcpdump.pcap # logfile_name owner:group mode count size when flags /home/logs/tcpdump.pcap644 5 10 *z So when newsyslog checks and >=10KB size hits, the *tcpdump.pcap* file will be rotated and *tcpdump.pcap.0.gz* will be created. But after this, the size of the file is not increasing. run the following command to check the file *#tcpdump -r tcpdump.pcaptcpdump: bad dump file format* *and the above tcpdump command is still running in the background.* *So the question is the tcpdump have any issue with rotating the files with newsyslog?* *Or am I missing something?* *Can you please suggest a solution for this?* Thanks and Regards Yogendra Kumar National Institute of Technology, Karnataka
Re: tcpdump rotating issue with newsyslog
On 4/10/22 9:39 AM, Yogendra Kumar Chaudhary wrote: Good Evening Community, I am running the following command in the OpenBSD 6.2. *"tcpdump -Nneqt -w tcpdump.pcap -i vic0 &"* and using the following newsyslog.conf entry for rotating the tcpdump.pcap # logfile_name owner:group mode count size when flags /home/logs/tcpdump.pcap644 5 10 *z So when newsyslog checks and >=10KB size hits, the *tcpdump.pcap* file will be rotated and *tcpdump.pcap.0.gz* will be created. But after this, the size of the file is not increasing. run the following command to check the file *#tcpdump -r tcpdump.pcaptcpdump: bad dump file format* *and the above tcpdump command is still running in the background.* *So the question is the tcpdump have any issue with rotating the files with newsyslog?* *Or am I missing something?* *Can you please suggest a solution for this?* I see a couple potential problems. 1) tcpdump -w is writing raw packets out, you probably don't want newsyslog adding a text log rotated message to your dump file. Look at the "B" flag. 2) You didn't do anything to tell tcpdump to stop dumping to the old file and use a new one. So ... I suspect something like this is happening: * tcpdump is putting data to a file pointed to by the link "tcpdump.pcap" * newsyslog rotates the log file and triggers the compression process. * the old file is read by gzip and a new file is created. (note, the old file isn't compressed "in place" -- a new file is created!) * gzip deletes the old file link. Except tcpdump is still sending data to the file, but there's no way to access the data. Kinda cool, you could fill your disk with no way to get your data. So, I'm thinking you probably want a 'b' and a SIGHUP sent to tcpdump. You can validate my second point by disabling the compression, I suspect you will see your .0 file continue to grow in size, until it becomes .1, etc. newsyslog sends a SIGHUP to syslogd, but your output isn't going through syslogd in this case -- it is coming directly from tcpdump. I probably got a few things wrong here. :) Nick.
Re: tcpdump rotating issue with newsyslog
On Sun, 10 Apr 2022 17:00:25 -0400 Nick Holland wrote: > On 4/10/22 9:39 AM, Yogendra Kumar Chaudhary wrote: > > I am running the following command in the OpenBSD 6.2. You should really upgrade. That version no longer gets security patches for several years. > So, I'm thinking you probably want a 'b' and a SIGHUP sent to tcpdump. > You can validate my second point by disabling the compression, I > suspect you will see your .0 file continue to grow in size, until it > becomes .1, etc. What Nick suspects is likely true, but tcpdump will just quit on SIGHUP. You could restart the capture instead. Capturing network traffic for days might use a lot of disk space though. Kind regards, Thomas
Re: tcpdump rotating issue with newsyslog
First: as others mentioned, tcpdump isn't suited for output rotation via tools like newsyslog. Even if you manage to restart it with new log, you'll probably skip some packets. You might implement some sort of overlap (you start tcpdump to a new file, *then* you kill the old one and write a tool to seamlessly merge flows) Second: Non-OpenBSD tcpdump support -C/-G/-W options that do the rotation automatically (size- and age-based). I don't know if it may be backported. Third: Are you sure you want long-running tcpdump? Perhaps netflow could be enough... See pflow(4) + nfcapd(1). The latter does autorotation and can call compressor afterwards. -- Paweł Kraszewski GPG key: E030 A049 9C33 C1E9 28EA 50C9 821F DA62 0A90 D330
