Re: Capturing external packets sent to loopback (FreeBSD) ?

[Ray Bellis via tcpdump-workers <tcpdump-workers () lists tcpdump org>]

> --- Begin Message ---
>
>
> From: Ray Bellis <ray () bellis me uk>
>
> Date: Mon, 24 Feb 2020 17:45:28 +0000
>
> On 24/02/2020 17:19, Michael Richardson wrote:
> > Ray Bellis via tcpdump-workers <tcpdump-workers () lists tcpdump org> wrote:
> >     > I've got a daemon that listens on a virtual IP address, that is itself
> >     > attached to a cloned loopback interface on FreeBSD.
> >
> > What do you mean by cloned?
> >      ifconfig lo create
>
> Yes, indeed.  "cloned" is the FreeBSD parlance for that.
>
> > Is the address a public address via BGP/OSPF?  (because I know where this
> > comes from I guess)
>
> I figured you might guess :)   Yes, the address is _announced_ via BGP
> to upstream routers, but there could be multiple routers with packets
> arriving on multiple interfaces.
>
> > Linux has "any" which captures on "all" interfaces, and with the right stuff
> > in the libpcap layer can tell you which interface it came from.
> > It's not clear to me if adequately reveal this through the pcap API.
> > (I'm just ignorant right now here)
>
> I never considered "any" !   But you appear to be suggesting it's not
> available in FreeBSD ?
>
> > My guess is that the packets never actually "arrive" on the loopback
> > interface.  They arrive on all the other interfaces, and since the system is
> > using a weak-host model, the destination address will match any incoming
> > interface to get to the "loopback".
>
> Hmm...
>
> > I know diddly squat about FreeBSD packet capture since SunOS 4.0 BPF
> > days. Okay, maybe NetBSD 1.0 era.
> >
> > So I think you are SOL, and have to do thread-per-interface for now :-)
>
> I'll keep digging :)
>
> cheers,
>
> Ray
>
>
> --- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers