tcpdump and packets filtered by iptables

tcpdump and packets filtered by iptables

Post by Alex » Thu, 27 May 2004 23:50:40



Hello

Does tcpdump on an interface see the packets that are filtered out by
iptables rules? Does it matter if it's in INPUT or FORWARD chain?

This is probably documented somewhere but I can't find (I do not feel
up to reading kernel source ;)
Thank a lot

Alex

 
 
 

tcpdump and packets filtered by iptables

Post by Jeroen Geilma » Fri, 28 May 2004 08:26:26



> Hello

> Does tcpdump on an interface see the packets that are filtered out by
> iptables rules? Does it matter if it's in INPUT or FORWARD chain?

No and yes.

 From the man page:

Tcpdump  prints  out  the  headers of packets on a network interface
that match the boolean expression.

Note that it only listens on an interface - i.e. the point at which the
packets enter or leave the computer.

If you know your iptables then you know that only the ouput chain of any
table is filtered; the correct sequence (for the standard filter table) is:

wire -> NIC -> tcpdump -> INPUT chain

and

OUPUT chain -> tcpdump -> NIC -> wire.

tcpdump listens in between the NIC and the iptables kernel code.

Quote:> This is probably documented somewhere but I can't find (I do not feel
> up to reading kernel source ;)

Then don't; even though iptables functionality is included in the kernel
the actual program is on www.netfilter.org.
Go there and be edified.

--
Jeroen Geilman

Analog bits courtesy of adaptr.

 
 
 

tcpdump and packets filtered by iptables

Post by Alex » Fri, 28 May 2004 23:34:59




> > Hello

> > Does tcpdump on an interface see the packets that are filtered out by
> > iptables rules? Does it matter if it's in INPUT or FORWARD chain?

> No and yes.

>  From the man page:

> Tcpdump  prints  out  the  headers of packets on a network interface
> that match the boolean expression.

> Note that it only listens on an interface - i.e. the point at which the
> packets enter or leave the computer.

Thanks a lot. This note is missing from tcpdump 3.6 on redhat 7.2

I do enjoy reading well written docs - and netfilter guides are among my
favorites ;)

Alex

- Show quoted text -

Quote:> If you know your iptables then you know that only the ouput chain of any
> table is filtered; the correct sequence (for the standard filter table) is:

> wire -> NIC -> tcpdump -> INPUT chain

> and

> OUPUT chain -> tcpdump -> NIC -> wire.

> tcpdump listens in between the NIC and the iptables kernel code.

> > This is probably documented somewhere but I can't find (I do not feel
> > up to reading kernel source ;)

> Then don't; even though iptables functionality is included in the kernel
> the actual program is on www.netfilter.org.
> Go there and be edified.

 
 
 

1. errors with Berkeley Packet Filter when running tcpdump

just installed 3.2 from CD, when running tcpdump, i got
errors as:

$ tcpdump
tcpdump: /dev/bpf0: Permission denied
$

same box/NIC works well with tcpdump when running redhat6.1
is there anywhere i need config the kernel with Berkeley Packet Filter
(bpf)? and how?

i choose "expert" mode when install, did not see any option asking
me for that.

really eager to settle it, please help!!

Sent via Deja.com http://www.deja.com/
Before you buy.

2. 81 second delay for internet server

3. New tcpdump and Berkeley Packet Filter available for anonymous ftp

4. Migrating From Sun Solaris to IBM AIX 4.2

5. tcpdump and the Berkeley Packet Filter

6. How many NT admins does it take to change a lightbulb?

7. tcpdump filter for BOOTP/DHCP packets?

8. Help with a Dinosaur

9. iptables not filtering packets thru bridge

10. iptables v1.2.2: can't initialize iptables table `filter': Table does not exist

11. iptables "can't initialize iptables table `filter'"

12. what to filter in a packet filter

13. iptables v1.2.2: can't initialize iptables table `filter': Table does not exist