tcpdump -i any doesn't work on FreeBSD

Question

How to listen all interfaces on FreeBSD with tcpdump

> tcpdump -i any
tcpdump: any: No such device exists
(BIOCSETIF failed: Device not configured)

(I would like to listen ICMP)

As @RuiFRibeiro already stated, "any" is a Linux only option and doesn't work anywhere else. Read the man page. — Rob, Mar 18 '18 at 10:55
man page is here https://www.freebsd.org/cgi/man.cgi?tcpdump(1) it only speaks about `any` on Linux, without describing what to do on FreeBSD — Dims, Mar 18 '18 at 11:08
multiple -i might work, they might me what you need, even though they are not the same thing as any, that is non-promisc. — Rui F Ribeiro, Mar 18 '18 at 11:11

score 1 · Answer 1 · answered Aug 14 '20 at 17:29

I'm looking at this on FreeBSD 11.3 and there doesn't appear to be any way to do an "any". I thought multiple -is might work, despite the manpage's silence on it, but it only takes the first one. If tcpdump gets enhanced to support multiple -is then this ought to do it (or you can prove that it doesn't on your system):

tcpdump --list-interfaces | grep Running | cut -f 1 -d ' ' | cut -f 2- -d '.' | awk '{ print "-i " $1 }' | xargs -t -Jinterfaces tcpdump interfaces host 8.8.8.8

score 0 · Answer 2 · answered Mar 20 '18 at 03:52

From the tcpdump man page:

An interface argument of "all" or "pktap,all" can be used to capture packets from all interfaces, including loopback and tunnel interfaces.

Therefore you can simply do, for example:

tcpdump -i all tcp port 80

If you don't specify the -i flag, then a set of all interfaces are again included in a pseudo interface that by default excludes loopback and tunnel interfaces. Again from the tcpdump man page:

On Darwin systems version 13 or later, when the interface is unspecified, tcpdump will use a pseudo interface to capture packets on a set of interfaces determined by the kernel (excludes by default loopback and tunnel interfaces).

Is this from a Mac OS X machine? It doesn't seem to be available on FreeBSD 11.3. — Bill McGonigle, Aug 14 '20 at 16:46
Neither of the quotes you cite appear in [the FreeBSD `man` page for `tcpdump`](https://www.freebsd.org/cgi/man.cgi?query=tcpdump&apropos=0&sektion=1&manpath=FreeBSD+11.4-RELEASE+and+Ports&arch=default&format=html). — Jim L., Nov 23 '21 at 05:56

Jim L. · Answer 3 · 2021-11-22T18:48:22.690

I can't vouch for how well this method would serve any particular use case, but the brute force way to do this in FreeBSD would be to run N instances of tcpdump, one for each of the N interfaces known to ifconfig. You might run them as a grouped and backgrounded command, sending their combined output to a single file. It seems inevitable that the output file will have numerous duplicated packets, such as showing a packet when it arrives on interface a and then showing it again when it departs on interface b.

But if you really have to do it that way, consider:

{
    for i in $(ifconfig -l)
    do
        ( tcpdump -i $i & )
    done
} > tcpdump.out

score 0 · Answer 4 · answered Aug 02 '23 at 00:38

How to listen all interfaces on FreeBSD with tcpdump

Support capturing on multiple interfaces · Issue #480 · the-tcpdump-group/tcpdump (2015-09-07, open):

supports the observation by Bill McGonigle and others that essentially, it's impossible with tcpdump(1)
draws attention to Wireshark's dumpcap and (or) TShark, which do support capturing on multiple interfaces.

% which tshark
/usr/local/bin/tshark
% pkg provides bin/tshark
Name    : wireshark-nox11-4.0.7
Comment : Powerful network analyzer/capture tool (without GUI)
Repo    : FreeBSD
Filename: usr/local/bin/tshark

Name    : wireshark-4.0.7
Comment : Powerful network analyzer/capture tool
Repo    : FreeBSD
Filename: usr/local/bin/tshark
% pkg search -oq wireshark
net/wireshark
net/wireshark
% man -P less tshark
% man -P less dumpcap
%

net/wireshark in FreshPorts:

https://www.freshports.org/net/wireshark/

dumpcap(1) in FreeBSD ports:

https://man.freebsd.org/cgi/man.cgi?query=dumpcap&sektion=1&manpath=freebsd-ports

tshark(1) in FreeBSD ports:

https://man.freebsd.org/cgi/man.cgi?query=tshark&sektion=1&manpath=freebsd-ports
mentions ICMP.

score -3 · Answer 5 · answered Sep 18 '20 at 21:44

As with anything in FreeBSD: Reading the manpage usually explains everything.

       -i interface
   --interface=interface
      Listen on interface.  If unspecified, tcpdump searches the  sys-
      tem interface list for the lowest numbered, configured up inter-
      face (excluding loopback), which may turn out to be,  for  exam-
      ple, ``eth0''.

      On  Linux  systems with 2.2 or later kernels, an interface argu-
      ment of ``any'' can be used to capture packets from  all  inter-
      faces.   Note  that  captures  on the ``any'' device will not be
      done in promiscuous mode.

      If the -D flag is supported, an interface number as  printed  by
      that flag can be used as the interface argument, if no interface
      on the system has that number as a name.

https://www.freebsd.org/cgi/man.cgi?query=tcpdump&apropos=0&sektion=0&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html

tcpdump -i any doesn't work on FreeBSD

5 Answers5