Comments for \1 http://backreference.org Capture and remember Fri, 03 Feb 2012 08:42:14 +0000 hourly 1 http://wordpress.org/?v=3.3.1 Comment on Tun/Tap interface tutorial by waldner http://backreference.org/2010/03/26/tuntap-interface-tutorial/comment-page-1/#comment-24735 waldner Fri, 03 Feb 2012 08:42:14 +0000 http://backreference.org/?p=1189#comment-24735 I don't know if there's an easy way to do what you want. Perhaps using the TEE target of iptables, but it's just a wild guess. I don't know if there's an easy way to do what you want. Perhaps using the TEE target of iptables, but it's just a wild guess.

]]> Comment on Buildbot in 5 minutes by Dustin Row http://backreference.org/2011/10/08/buildbot-in-5-minutes/comment-page-1/#comment-24734 Dustin Row Fri, 03 Feb 2012 00:41:53 +0000 http://backreference.org/?p=3087#comment-24734 Thanks for examples! This helps out alot! Thanks for examples! This helps out alot!

]]> Comment on Tun/Tap interface tutorial by Nicandro http://backreference.org/2010/03/26/tuntap-interface-tutorial/comment-page-1/#comment-24733 Nicandro Mon, 30 Jan 2012 14:57:08 +0000 http://backreference.org/?p=1189#comment-24733 Yes I know how tcpdump works :) As you suggested it is good just for specific case, I want to be able to select traffic for instance even based on the packet length. That s why I need iptables (mangle / nat), because I have more options in order to split the traffic in more interfaces. Why do I want to do that? Because when too much traffic is coming, tcpdump may be not able to manage it all. So, by launching more processes of it, with different traffic to monitor, less traffic is lost by the kernel. tcpdump -i tun1 tcpdump -i tun2 (..) tcpdump -i tunN I can open more processes on more cores. So in my opinion what I should do is to split the traffic in more interfaces. In such a way, I can use the same interfaces for other applications (i.e. snort) What I wanted to know from you is: having known that the traffic is coming from and going to the real interface eth0, I want to send a copy of it (selected by filter of iptables) to tun1, tun2, .. tunN. I saw option of ip route 2 (tee, --gw, .. ) but they dont work. DO you know easier way to suggest? Sorry for disturbing, Thanks a lot for your help Yes I know how tcpdump works :)
As you suggested it is good just for specific case, I want to be able to select traffic for instance even based on the packet length. That s why I need iptables (mangle / nat), because I have more options in order to split the traffic in more interfaces.

Why do I want to do that? Because when too much traffic is coming, tcpdump may be not able to manage it all. So, by launching more processes of it, with different traffic to monitor, less traffic is lost by the kernel.

tcpdump -i tun1
tcpdump -i tun2
(..)
tcpdump -i tunN

I can open more processes on more cores.

So in my opinion what I should do is to split the traffic in more interfaces. In such a way, I can use the same interfaces for other applications (i.e. snort)

What I wanted to know from you is:
having known that the traffic is coming from and going to the real interface eth0, I want to send a copy of it (selected by filter of iptables) to tun1, tun2, .. tunN.

I saw option of ip route 2 (tee, --gw, .. ) but they dont work. DO you know easier way to suggest?

Sorry for disturbing,
Thanks a lot for your help

]]> Comment on Tun/Tap interface tutorial by waldner http://backreference.org/2010/03/26/tuntap-interface-tutorial/comment-page-1/#comment-24732 waldner Fri, 27 Jan 2012 17:48:17 +0000 http://backreference.org/?p=1189#comment-24732 Sorry, I don't understand what you're asking. If you're using tcpdump, you can specify a specific interface with -i or the special interface "any" which captures traffic on all interfaces (but not in promiscuous mode). If you want to capture only a certain type of traffic, you can specify filters to tcpdump, for example <code>tcpdump -i eth0 icmp</code> will capture only ICMP traffic, or <code>tcpdump -i eth0 tcp port 80</code> will capture (hopefully) only HTTP traffic, etc. The manual page for <b>tcpdump</b>, or <b>pcap-filter</b>, provides all the details on the syntax to use for filtering. Hope this answers your question. Sorry, I don't understand what you're asking. If you're using tcpdump, you can specify a specific interface with -i or the special interface "any" which captures traffic on all interfaces (but not in promiscuous mode).
If you want to capture only a certain type of traffic, you can specify filters to tcpdump, for example tcpdump -i eth0 icmp will capture only ICMP traffic, or tcpdump -i eth0 tcp port 80 will capture (hopefully) only HTTP traffic, etc. The manual page for tcpdump, or pcap-filter, provides all the details on the syntax to use for filtering.
Hope this answers your question.

]]> Comment on Tun/Tap interface tutorial by Nicandro http://backreference.org/2010/03/26/tuntap-interface-tutorial/comment-page-1/#comment-24731 Nicandro Fri, 27 Jan 2012 14:21:27 +0000 http://backreference.org/?p=1189#comment-24731 mmm what I would like to do is to monitor the traffic with tcpdump for example. and when I wanna do that, for sure I need to give them an interface, isnt ? Ok, when you check some info into the traffic it s better to reduce it somehow just selecting the one you more need to check. In this way the process is less stressed overall when it receives high rate traffic. Because of that I would like to route traffic incoming from eth0 into two virtual interfaces, the place where I attach a monitoring software, as tshark, tcpdump, etc. What do you think? mmm what I would like to do is to monitor the traffic with tcpdump for example.
and when I wanna do that, for sure I need to give them an interface, isnt ?
Ok, when you check some info into the traffic it s better to reduce it somehow just selecting the one you more need to check. In this way the process is less stressed overall when it receives high rate traffic.
Because of that I would like to route traffic incoming from eth0 into two virtual interfaces, the place where I attach a monitoring software, as tshark, tcpdump, etc.
What do you think?

]]>