How to listen all interfaces on FreeBSD with tcpdump
> tcpdump -i any tcpdump: any: No such device exists (BIOCSETIF failed: Device not configured) (I would like to listen ICMP)
5 Answers
I'm looking at this on FreeBSD 11.3 and there doesn't appear to be any way to do an "any". I thought multiple -is might work, despite the manpage's silence on it, but it only takes the first one. If tcpdump gets enhanced to support multiple -is then this ought to do it (or you can prove that it doesn't on your system):
tcpdump --list-interfaces | grep Running | cut -f 1 -d ' ' | cut -f 2- -d '.' | awk '{ print "-i " $1 }' | xargs -t -Jinterfaces tcpdump interfaces host 8.8.8.8 
From the tcpdump man page:
An interface argument of "all" or "pktap,all" can be used to capture packets from all interfaces, including loopback and tunnel interfaces.
Therefore you can simply do, for example:
tcpdump -i all tcp port 80 If you don't specify the -i flag, then a set of all interfaces are again included in a pseudo interface that by default excludes loopback and tunnel interfaces. Again from the tcpdump man page:
On Darwin systems version 13 or later, when the interface is unspecified, tcpdump will use a pseudo interface to capture packets on a set of interfaces determined by the kernel (excludes by default loopback and tunnel interfaces).
- 1Is this from a Mac OS X machine? It doesn't seem to be available on FreeBSD 11.3.Bill McGonigle– Bill McGonigle2020-08-14 16:46:59 +00:00Commented Aug 14, 2020 at 16:46
- 1Neither of the quotes you cite appear in the FreeBSD
manpage fortcpdump.Jim L.– Jim L.2021-11-23 05:56:48 +00:00Commented Nov 23, 2021 at 5:56
I can't vouch for how well this method would serve any particular use case, but the brute force way to do this in FreeBSD would be to run N instances of tcpdump, one for each of the N interfaces known to ifconfig. You might run them as a grouped and backgrounded command, sending their combined output to a single file. It seems inevitable that the output file will have numerous duplicated packets, such as showing a packet when it arrives on interface a and then showing it again when it departs on interface b.
But if you really have to do it that way, consider:
{ for i in $(ifconfig -l) do ( tcpdump -i $i & ) done } > tcpdump.out 
How to listen all interfaces on FreeBSD with
tcpdump
Support capturing on multiple interfaces · Issue #480 · the-tcpdump-group/tcpdump (2015-09-07, open):
- supports the observation by Bill McGonigle and others that essentially, it's impossible with tcpdump(1)
- draws attention to Wireshark's dumpcap and (or) TShark, which do support capturing on multiple interfaces.
% which tshark /usr/local/bin/tshark % pkg provides bin/tshark Name : wireshark-nox11-4.0.7 Comment : Powerful network analyzer/capture tool (without GUI) Repo : FreeBSD Filename: usr/local/bin/tshark Name : wireshark-4.0.7 Comment : Powerful network analyzer/capture tool Repo : FreeBSD Filename: usr/local/bin/tshark % pkg search -oq wireshark net/wireshark net/wireshark % man -P less tshark % man -P less dumpcap % net/wireshark in FreshPorts:
dumpcap(1) in FreeBSD ports:
tshark(1) in FreeBSD ports:
As with anything in FreeBSD: Reading the manpage usually explains everything.
-i interface --interface=interface Listen on interface. If unspecified, tcpdump searches the sys- tem interface list for the lowest numbered, configured up inter- face (excluding loopback), which may turn out to be, for exam- ple, ``eth0''. On Linux systems with 2.2 or later kernels, an interface argu- ment of ``any'' can be used to capture packets from all inter- faces. Note that captures on the ``any'' device will not be done in promiscuous mode. If the -D flag is supported, an interface number as printed by that flag can be used as the interface argument, if no interface on the system has that number as a name. 
- 3
- Apparently SKull didn't read the man page. :Pdeltaray– deltaray2024-05-30 02:05:10 +00:00Commented May 30, 2024 at 2:05
-i.anyon Linux, without describing what to do on FreeBSD