Bug#540074: netfilter leaking traffic when long chains defined
Right, I am trying to capture some traffic using:
tcpdump -f -xx '( port 8000 ) and (( ! src net 10.0.0.0/8 ) or ( ! dst net 10.0.0.8 ))'
This will capture traffic from the live system, which is using service port 8000, rather than test port 9999, which is from test. (On the live system the service port number is 8000, rather than 9999, and the script has been modified to reflect this).
netstat -a reveals:
tcp 0 0 neptune.markhobley:8000 118-168-141-172.dy:3388 ESTABLISHED
I am not getting any output against host 118.168.141.172 after an interval of 10 minutes. I was expecting to see some kind of "keep alive" here, or the connection to timeout (via the idle timer) and close. I am not seeing this via tcpdump. Does that occur at a lower level than tcpdump?
I am getting malicious traffic showing from other hosts, but unfortunately tcpdump logs the traffic before the filter, so this has to be ignored.
It would be useful here, if I could log only traffic that passes the filter. Can I do this?
Currently to determine traffic passing the filter, I have to look for an incoming packet that causes a response from the application. These are infrequent, but I expect to find one over a period of several days.
I will try and rig this up for permanent monitoring, and post a follow up over the next few days.
Mark.
Reply to: