On 2008/09/24 14:12, Carl Horne wrote: > Stuart, > > Thanks so much. I am using urlsnarf to log url requests and there > is one instance running for each gre tunnel. I have a script that > auto starts or stop one as soon as I added or removed a tunnel. So > when I added a tunnel it would fire up a new instance breaking > tcpdump. Removing the tunnel would kill an instance fixing tcpdump. > I will have to figure out another way to get that data. Thanks for > your help.
some options to try: - create new bpf device nodes (using /dev/MAKEDEV), though I'm not sure what the usable limit is. - in -current or the forthcoming 4.4 release, you can have PF log the packets to a pflog interface, and run urlsnarf on that interface. (a change was committed a few months ago to libnids, used by dsniff/urlsnarf, to permit capture on a pflog interface). Then you can e.g. "pass in log (all, to pflog1) to port 80" and run urlsnarf on pflog1; then you only have one BPF listener. I'm not sure, but I'd guess that overheads should be lower this way. (you could also use pflog0 of course, but you might prefer to split it off so you can continue to log your normal blocked traffic via pflogd. pflog1 doesn't normally exist, so you would have to create the interface too; echo up>/etc/hostname.pflog1).
