On pon, 2008-09-29 at 05:34 -0700, Djingo Cacadril wrote:
> Lucas Mocellin <
lucasmocellin@gmail.com> wrote on Thursday, September
> 25, 2008 7:57:16 PM
>
> > I marked some packets with iptables (-j MARK), and I want to "see"
> this set.
> >
> > I tried to search google, but nothing related. tcpdump doesn't seems
> help with that.
>
> The MARK target _associates_ a mark with the packet in the kernel data
> structures. That is, the packet itself is not modified. The sniffers
> tcpdump and ethereal only see the packages as they come in / go out
> through the wire. Even if you MARK a packet that is subsequently sent
> out on the wire, only the packet itself, not associated kernel
> datastructures are available to the sniffers.
>
> Guessing wildly, there may be a way of creating an extraordinary
> loopback device and have the router forward marked packets through
> that device, and have the sniffers sniff that device. Lots of research
> required, I guess.