How do I configure the Berkeley Packet Filter and capture tcpdump traces?

1) Installing packet filter support
tcpdump relies on a kernel option that ordinarily isn't enabled. You can fix
this either by adding "options PACKETFILTER" to the system's configuration
file and rebuilding (via doconfig -c ) or by:

# doconfig


Enter a name for the kernel configuration file. [ALINGO]: FILTER

You want to name the configuration file 'FILTER'
Is that correct? (y/n) [y]: y


Selection Kernel Option
1 System V Devices
2 Logical Volume Manager (LVM)
3 Kernel Breakpoint Debugger (KDEBUG)
4 Packetfilter driver (PACKETFILTER)
5 STREAMS pckt module (PCKT)
6 Data Link Bridge (DLPI V2.0 Service Class 1)
7 X/Open Transport Interface (XTISO, TIMOD, TIRDWR)
8 File on File File System (FFM)
9 ISO 9660 Compact Disc File System (CDFS)
10 Audit Subsystem
11 Local Area Transport Support
12 All of the above
13 None of the above

Enter the selection number for each kernel option you want.
For example, 1 3 : 4

You selected the following kernel options:

Packetfilter driver (PACKETFILTER)

Is that correct? (y/n) [y]:

Rebuild and boot the new kernel.

2) Create the packetfilter devices:
# cd /dev
# ./MAKEDEV pfilt
MAKEDEV: special file(s) for pfilt:
pfilt0 pfilt1 pfilt2 pfilt3 pfilt4 pfilt5 pfilt6 ... pfilt63

3) Get a better tcpdump (pre V4.0 systems only)
Email me for a compressed, uuencoded file of a tcpdump that decodes NFS V3
and several other Sun RPC protocols (MOUNT, NIS, NLM, PORTMAP, and STATMON).

4) Enable local copy promiscuous mode
# pfconfig +p +c ln0 (or tu0 or whatever)

5) Run tcpdump
Please read the man pages before doing serious monitoring! To look at some
NFS traffic, try:

# tcpdump -s300 -c100 -Nt udp port 2049 [to look at all NFS traffic]
# tcpdump -s300 -c100 -Nt host foo [to look at all to/from foo]

-s300 "snaps" up the first 300 bytes of each message, generally enough to
get lower level headers, RPC, and enough NFS protocol to make sense of
the requests. -c100 says to capture 100 messages and exit. -N says to
suppress the domain name (e.g. in hostnames. -t says to
suppress printing timestamps. The result is usually still too long for
a 80 column screen, I keep a wide xterm lying around for most of my tcpdump
monitoring. The -m option splits some messages over multiple lines.

If you send people traces, I generally recommend that you capture data to
a binary file and send that. If the recipient needs to, he can run
tcpdump with extra filtering or -x (hex dump) to really dig into problems.
Do something like:

# tcpdump -w /usr/tmp/foo.dmp -s300 udp port 2049
tcpdump: listening on ln0
Using kernel BPF filter
1040 packets
# compress foo.dmp
# uuencode foo.dmp.Z foo.uu

Capturing to a file bypasses all the decoding code which can be very slow
and can generate its own IP traffic (e.g. resolving host names).
Suggest a Site