# capturing ezjail to ezjail traffic



## atOm- (Oct 11, 2013)

Hello,

As I begin using FreeBSD, I thank you for this forum. I have set up some ezjails into a FreeBSD OS. One of them is a Heimdal KDC and another is a principal server of the realm. I can login as principal user from server. As I follow this tutorial: http://www.freebsd.org/doc/handbook/kerberos5.html, one instruction/advice is to check whether the transaction doesn't involve the divulging of the password in clear:



> When testing a Kerberized application, try using a packet sniffer such as tcpdump(1) to confirm that the password is not sent in the clear



When using tcpdump on the KDC and principal interfaces, it doesn't capture any packet.


```
tcpdump -w /tmp/dump.pcap src ip_kdc and dst ip_kdc
```

When I stop the KDC jail, the principal cannot login. It should mean transaction is made from principal server and KDC, using network.

Do you have any suggestions to help me out?


----------



## SirDice (Oct 11, 2013)

atOm- said:
			
		

> When using tcpdump on the KDC and principal interfaces, it doesn't capture any packet.
> 
> 
> ```
> ...


This only captures traffic that has both the source _and_ destination IP of ip_kdc. And because traffic like that never actually passes out of the interface you'll never capture anything. What you probably wanted to do is:

```
tcpdump -w /tmp/dump.pcap src ip_kdc or dst ip_kdc
```


----------



## atOm- (Oct 11, 2013)

Thank you SirDice for this remark, I changed the command. 

However, the void persists. To be more precise, I try to capture from host on ezjails' interfaces. The following is what I get:


```
root@host:/tmp # /usr/local/sbin/tcpdump -w /tmp/dump2.pcap src ip_kdc or dst ip_kdc
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C0 packets captured
111 packets received by filter
0 packets dropped by kernel
```

Launching tcpdump into the jail returns error: 


```
root@kdc # /tmp -w /tmp/dump2.pcap -i lo8 src ip_kdc or dst ip_kdc
tcpdump: (cannot open device) /dev/bpf: No such file or directory
```


----------



## junovitch@ (Oct 12, 2013)

Try doing the tcpdump on the host using -i lo0.  Internal traffic should not traverse the em0 interface but you should be able to catch it on the loopback.


----------

