by Alex » Thu, 27 May 2004 23:50:40
Does tcpdump on an interface see the packets that are filtered out by
iptables rules? Does it matter if it's in INPUT or FORWARD chain?
This is probably documented somewhere but I can't find (I do not feel
up to reading kernel source ;)
Thank a lot
Alex
by Jeroen Geilma » Fri, 28 May 2004 08:26:26
> Does tcpdump on an interface see the packets that are filtered out by
> iptables rules? Does it matter if it's in INPUT or FORWARD chain?
From the man page:
Tcpdump prints out the headers of packets on a network interface
that match the boolean expression.
Note that it only listens on an interface - i.e. the point at which the
packets enter or leave the computer.
If you know your iptables then you know that only the ouput chain of any
table is filtered; the correct sequence (for the standard filter table) is:
wire -> NIC -> tcpdump -> INPUT chain
and
OUPUT chain -> tcpdump -> NIC -> wire.
tcpdump listens in between the NIC and the iptables kernel code.
Then don't; even though iptables functionality is included in the kernelQuote:> This is probably documented somewhere but I can't find (I do not feel
> up to reading kernel source ;)
--
Jeroen Geilman
Analog bits courtesy of adaptr.
by Alex » Fri, 28 May 2004 23:34:59
> > Hello
> > Does tcpdump on an interface see the packets that are filtered out by
> > iptables rules? Does it matter if it's in INPUT or FORWARD chain?
> No and yes.
> From the man page:
> Tcpdump prints out the headers of packets on a network interface
> that match the boolean expression.
> Note that it only listens on an interface - i.e. the point at which the
> packets enter or leave the computer.
I do enjoy reading well written docs - and netfilter guides are among my
favorites ;)
Alex
Quote:> If you know your iptables then you know that only the ouput chain of any
> table is filtered; the correct sequence (for the standard filter table) is:
> wire -> NIC -> tcpdump -> INPUT chain
> and
> OUPUT chain -> tcpdump -> NIC -> wire.
> tcpdump listens in between the NIC and the iptables kernel code.
> > This is probably documented somewhere but I can't find (I do not feel
> > up to reading kernel source ;)
> Then don't; even though iptables functionality is included in the kernel
> the actual program is on www.netfilter.org.
> Go there and be edified.
1. errors with Berkeley Packet Filter when running tcpdump
just installed 3.2 from CD, when running tcpdump, i got
errors as:
$ tcpdump
tcpdump: /dev/bpf0: Permission denied
$
same box/NIC works well with tcpdump when running redhat6.1
is there anywhere i need config the kernel with Berkeley Packet Filter
(bpf)? and how?
i choose "expert" mode when install, did not see any option asking
me for that.
really eager to settle it, please help!!
Sent via Deja.com http://www.deja.com/
Before you buy.
2. 81 second delay for internet server
3. New tcpdump and Berkeley Packet Filter available for anonymous ftp
4. Migrating From Sun Solaris to IBM AIX 4.2
5. tcpdump and the Berkeley Packet Filter
6. How many NT admins does it take to change a lightbulb?
7. tcpdump filter for BOOTP/DHCP packets?
9. iptables not filtering packets thru bridge
10. iptables v1.2.2: can't initialize iptables table `filter': Table does not exist
11. iptables "can't initialize iptables table `filter'"
12. what to filter in a packet filter
13. iptables v1.2.2: can't initialize iptables table `filter': Table does not exist