Lucas Mocellin <lucasmocellin@gmail.com> wrote on Thursday, September 25, 2008 7:57:16 PM
> I marked some packets with iptables (-j MARK), and I want to "see" this set.
>
> I tried to search google, but nothing related. tcpdump doesn't seems help with that.
The MARK target _associates_ a mark with the packet in the kernel data structures. That is, the packet itself is not modified. The sniffers tcpdump and ethereal only see the packages as they come in / go out through the wire. Even if you MARK a packet that is subsequently sent out on the wire, only the packet itself, not associated
kernel datastructures are available to the sniffers.
Guessing wildly, there may be a way of creating an extraordinary loopback device and have the router forward marked packets through that device, and have the sniffers sniff that device. Lots of research required, I guess.
Regards