From nobody Thu Dec 29 01:22:05 2022
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Nj9bp1GrKz2knDV
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Thu, 29 Dec 2022 01:22:14 +0000 (UTC)
	(envelope-from lyndon@orthanc.ca)
Received: from orthanc.ca (orthanc.ca [208.79.93.154])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Nj9bn5KzZz3sNp
	for <freebsd-current@freebsd.org>; Thu, 29 Dec 2022 01:22:13 +0000 (UTC)
	(envelope-from lyndon@orthanc.ca)
Authentication-Results: mx1.freebsd.org;
	none
Received: from orthanc.ca (localhost [127.0.0.1])
	by orthanc.ca (OpenSMTPD) with ESMTP id 2ae62d16;
	Wed, 28 Dec 2022 17:22:05 -0800 (PST)
From: "Lyndon Nerenberg (VE7TFX/VE6BBM)" <lyndon@orthanc.ca>
To: Dan Mack <mack@macktronics.com>
cc: freebsd-current@freebsd.org
Subject: Re: native recording of all network connections on freebsd
In-reply-to: <b2ea51ee-3944-b8d7-e0a8-8e4f16ebb8f@macktronics.com>
References: <b2ea51ee-3944-b8d7-e0a8-8e4f16ebb8f@macktronics.com>
Comments: In-reply-to Dan Mack <mack@macktronics.com>
   message dated "Wed, 28 Dec 2022 08:21:20 -0600."
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <49916.1672276925.1@orthanc.ca>
Date: Wed, 28 Dec 2022 17:22:05 -0800
Message-ID: <1a196a2a8d9034d8@orthanc.ca>
X-Rspamd-Queue-Id: 4Nj9bn5KzZz3sNp
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:25795, ipnet:208.79.88.0/21, country:US]
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-ThisMailContainsUnwantedMimeParts: N

Dan Mack writes:

> I'm wondering if anyone can help point me at a good way to continously 
> capture every inbound and outbound connection made to a freebsd system. 

Assuming "connection" means "log every TCP connection setup" probably
the quickest way is to tcpdump every TCP packet with both SYN and
ACK set.  That will log one packet for every TCP connection that
is established with the system. It won't capture anything for
connection attempts that fail. If you want that as well, just log
everything with SYN set.

If you do the latter you will also collect the background noise
from people port scanning you and attempting other nefarious deeds.

--lyndon