[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how to sniff marked packets by iptables



Lucas Mocellin <lucasmocellin@gmail.com> wrote on Thursday, September 25, 2008 7:57:16 PM

> I marked some packets with iptables (-j MARK), and I want to "see" this set.
>
> I tried to search google, but nothing related. tcpdump doesn't seems help with that.

The MARK target _associates_ a mark with the packet in the kernel data structures. That is, the packet itself is not modified. The sniffers tcpdump and ethereal only see the packages as they come in / go out through the wire. Even if you MARK a packet that is subsequently sent out on the wire, only the packet itself, not associated kernel datastructures are available to the sniffers.

Guessing wildly, there may be a way of creating an extraordinary loopback device and have the router forward marked packets through that device, and have the sniffers sniff that device. Lots of research required, I guess.

Regards


Reply to: