Re: Interface security considerations

On 1/29/07, Victor Loureiro Lima <victorloureirolima@xxxxxxxxx> wrote:
Hello -net@,

A question came into my mind a few days
ago while I was coding some application using
libpcap on freebsd:
- Whats the best way to determine if an application
is listening on an interface and sniffing packets that
goes through it? I've seen that a couple of process
that are using libpcap can be traced back to open file
descriptors to /dev/bpfX files using fstat(1), even with
sockstat(1) I can figure out that a certain process has
an open "something" and further investigate it, but I was
wondering whats the common practice for freebsd users
finding out this sort of thing?

See ports/net/bpfstat. BPF already exposes that info to the
userspace programs.


- While I was trying to figure out which process was
listening on a certain interfaces an idea for a patch in
sys/net/bpf.c functions bpf_open() and bpf_close() that
would simply printf(9) the PID (d->bd_pid = td->td_proc->p_pid;)
of a process that was trying to open the BPF device, while
it was a simple patch, I am not sure if using the BPF device
is the only possible way to sniff the packets from an
interface, I know that linux implement sock_packet, and
some systems have DLPI, just to get things straight,
If an application wants to be able to sniff packets on a interface
the only possible way (without messing with kernel at all) is
using the BPF interface or are there other ways (even if they
are not portable out of FreeBSD at all) of doing this?

No, there aren't any other interfaces. Unless you modify the
ether_input() routine. And BPF is the most portable method in use
nowadays.

- Is "device bpf" enabled by default on GENERIC kernel?

Yes.

Thanks in advance,
Victor Loureiro Lima
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"



--
If it's there, and you can see it, it's real.
If it's not there, and you can see it, it's virtual.
If it's there, and you can't see it, it's transparent.
If it's not there, and you can't see it, you erased it.
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Interface security considerations
    ... Whats the best way to determine if an application ... wondering whats the common practice for freebsd users ... I am not sure if using the BPF device ... interface, I know that linux implement sock_packet, and ...
    (freebsd-net)
  • Machine doesnt boot after switching from Linux to FreeBSD
    ... I'm trying to switch a Linux system to FreeBSD. ... The full dmesg output that I get after net-booting from the rescue disk ... <PLIP network interface> on ppbus0 ... (no root path) ...
    (freebsd-questions)
  • Dummynet in an IPFilter setup
    ... I am running a FreeBSD 5.x box with IPFilter/IPNAT. ... Internet and internal interface connected to a switch for the LAN. ... I need to guarantee 128Kbit/s of the available bandwidth to the ...
    (freebsd-questions)
  • Problem with IPFilter/IPNAT
    ... I am using IPFilter and IPNat on several FreeBSD boxes. ... The LAN machines use the FreeBSD as the ... I run cache-only config. ... rl1 is external interface. ...
    (freebsd-questions)
  • Possible security issue with FreeBSD 5.4 jailing and BPF
    ... While playing around with FreeBSD 5.4 and jailing I discovered that it was ... and a BPF device is available in the jail ... "The Berkeley Packet Filter provides a raw interface to data link layers ... The ethernet interface of the host is not in promiscious mode. ...
    (Bugtraq)