Re: how to sniff marked packets by iptables

To: debian-user@lists.debian.org
Subject: Re: how to sniff marked packets by iptables
From: Alex Samad <alex@samad.com.au>
Date: Tue, 30 Sep 2008 07:17:41 +1000
Message-id: <[🔎] 20080929211741.GA27024@samad.com.au>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] edfc67860809290633ib7f4537u8281ebf0b64d0f77@mail.gmail.com>
References: <[🔎] 757147.93089.qm@web45403.mail.sp1.yahoo.com> <[🔎] 1222692769.16467.34.camel@epsilon.rdc.pl> <[🔎] edfc67860809290633ib7f4537u8281ebf0b64d0f77@mail.gmail.com>

On Mon, Sep 29, 2008 at 10:33:38AM -0300, Lucas Mocellin wrote:
> Ok, I understood, but create a dummy device to sniff it in a operation
> server I think it is not the best solution.
> 
> But, I have never thought about -j LOG, kkkkkkkkkkk if I do a filter by the
> mark, and -j LOG, I think it's sufficient.

use ulog, it can store packets in pcap style

alex

> 
> thanks!!
> 
> Lucas.
> 
> 2008/9/29 Mariusz Kruk <kruk@epsilon.eu.org>
> 
> > On pon, 2008-09-29 at 05:34 -0700, Djingo Cacadril wrote:
> > > Lucas Mocellin <lucasmocellin@gmail.com> wrote on Thursday, September
> > > 25, 2008 7:57:16 PM
> > >
> > > > I marked some packets with iptables (-j MARK), and I want to "see"
> > > this set.
> > > >
> > > > I tried to search google, but nothing related. tcpdump doesn't seems
> > > help with that.
> > >
> > > The MARK target _associates_ a mark with the packet in the kernel data
> > > structures. That is, the packet itself is not modified. The sniffers
> > > tcpdump and ethereal only see the packages as they come in / go out
> > > through the wire. Even if you MARK a packet that is subsequently sent
> > > out on the wire, only the packet itself, not associated kernel
> > > datastructures are available to the sniffers.
> > >
> > > Guessing wildly, there may be a way of creating an extraordinary
> > > loopback device and have the router forward marked packets through
> > > that device, and have the sniffers sniff that device. Lots of research
> > > required, I guess.
> >
> > There is a possibility to do a 'routing thru a loop'.
> > http://lists.netfilter.org/pipermail/netfilter/2005-April/059970.html
> > It's extremely ugly solution (even though it's mine ;->), but I think
> > you'd need it if you want to inspect the actual connection. Just routing
> > the packets away thru a dummy device wouldn't solve the problem since no
> > connections could be made.
> > OTOH, if you don't need to browse the payload, you could just stick with
> > -j LOG.
> >
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
> >
> >

-- 
"Tommy (Thompson) is a good listener, and he's a pretty good actor, too. "

	- George W. Bush
08/13/2002
Waco, TX
apparently confusing his Health and Human Services secretary with Sen. Fred Thompson

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Re: how to sniff marked packets by iptables
  - From: Djingo Cacadril <cacadril@yahoo.com>
- Re: how to sniff marked packets by iptables
  - From: Mariusz Kruk <kruk@epsilon.eu.org>
- Re: how to sniff marked packets by iptables
  - From: "Lucas Mocellin" <lucasmocellin@gmail.com>

Prev by Date: Re: General Protection Fault in openafs, 2.6.25 and 2.6.26 kernels
Next by Date: Re: Howto sign e-mail using PGP (Debian Lennyy Evolution2.22.3.1)?
Previous by thread: Re: how to sniff marked packets by iptables
Next by thread: [OT] skype
Index(es):
- Date
- Thread