Dubious ifconfig / tcpdump behaviour

• Previous message: Beast: "(no subject)"
• Next in thread: Teppic: "Re: Dubious ifconfig / tcpdump behaviour"
• Reply: Teppic: "Re: Dubious ifconfig / tcpdump behaviour"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 12 Feb 2004 18:49:49 +0000 (GMT)
To: freebsd-security@freebsd.org

Hi, I have a FreeBSD 4.8 box connected to the net
which until recently hasn't had any problems. Today
DNS lookups mysteriously stopped working (the box has
tinydns & dnscache installed to handle dns requests).

I noticed some strange things while checking the
problem with tcpdump. Tcpdump appears not to show any
traffic whatsoever on either my external interface or
internal lan interface, this despite the fact I was
successfully pinging hosts over both interfaces from a
different console while checking the traffic. I do get
notified about promiscuous mode being enabled and
disabled as normal, and a message at the end saying
that packets were successfully received by the kernel.
I just don't see the actual packets. Tcpdump had
always worked fine before, and still works normally on
the loopback interface.

Also I seem to be unable to disable either of the
affected interfaces with ifconfig, whereas in the past
I never had a problem doing this. Requests to bring
either interface down are silently ignored.

Does anyone have an idea what the cause could be? Have
I overlooked some obvious configuration issue, or
might tcpdump, ifconfig or any system routines they
call have been compromised? Sadly I hadn't installed
an intrusion detector such as tripwire previously, and
system logs don't _appear_ to show evidence of any compromise.

        
        
                
___________________________________________________________
BT Yahoo! Broadband - Free modem offer, sign up online today and save £80 http://btyahoo.yahoo.co.uk
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Beast: "(no subject)"
• Next in thread: Teppic: "Re: Dubious ifconfig / tcpdump behaviour"
• Reply: Teppic: "Re: Dubious ifconfig / tcpdump behaviour"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [2.6.15] running tcpdump on 3c905b causes freeze (reproducable) ... My system freezes (crashes) when I run tcpdump on the interface ... To see all register values use the '-f' flag. ... (Linux-Kernel) Re: how to keep tcpdump running? ... |> I have a dialup connection on which I would like to keep tcpdump running ... |> up, the raw socket is broken, too, and tcpdump exits losing its state. ... |> trying to re-establish the raw socket and when the interface comes back, ... The problem is, if tcpdump exits and restarts, then it ... (comp.os.linux.development.system) Re: Freebsd MPD PPTP ... The connection goes well, ... connectivity (the clients' Windows icon show packet are being sent, ... A tcpdump on the external interface shows no packets going out and the same for tcpdump on ng0. ... (freebsd-net) Re: how to keep tcpdump running? ... > |> I have a dialup connection on which I would like to keep tcpdump running ... > |> up, the raw socket is broken, too, and tcpdump exits losing its state. ... The problem is, if tcpdump exits and restarts, then it ... > | behavior of the interface, then there is a tool for that. ... (comp.os.linux.development.system) [ronvdaal@zarathustra.linux666.com: Possible security issue with FreeBSD 5.4 jailing and BPF] ... While playing around with FreeBSD 5.4 and jailing I discovered that it was ... and a BPF device is available in the jail ... "The Berkeley Packet Filter provides a raw interface to data link layers ... Now starting tcpdump in the jail: ... (FreeBSD-Security)