tcpdump mailing list archives
Re: LIBPCAP: ULOG iptables capturing
From: Johan Verrept <jove () exelsys be>
Date: Wed, 10 Sep 2003 23:07:33 +0200
That depends on the information supplied by the netlink stuff. I presume you get raw network-layer (IP, IPv6, IPX, etc.) packet data from it. It probably also supplies an indication of the network-layer protocol, and perhaps other information. What information does it supply?
I haven't tried, but I think it are indeed raw packets. At least, when ulogd writes pcap files, it writes them with LINKTYPE_RAW. Except the packet itself, ulog provides a message structure containing timestamp info, which iptables hook captured the data, input and output device name, a MAC address and an arbitrary prefix which can be controlled by the rule. I am not sure whether all this information will always be supplied. For example if you capture the packet before routing, I doubt it will have the output device set. I guess the hook variable will determine which fields are valid. Which MAC address is supplied is also unclear, although it seems likely this is the source MAC. Since it is possible to get packets from different hooks on the same netlink group, I think only the raw packets can be guaranteed.
J. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- LIBPCAP: ULOG iptables capturing Johan Verrept (Sep 06)
- Re: LIBPCAP: ULOG iptables capturing Guy Harris (Sep 08)
- Re: LIBPCAP: ULOG iptables capturing Johan Verrept (Sep 10)
- Re: LIBPCAP: ULOG iptables capturing Guy Harris (Sep 10)
- Re: LIBPCAP: ULOG iptables capturing Johan Verrept (Sep 11)
- Re: LIBPCAP: ULOG iptables capturing Guy Harris (Sep 11)
- Re: LIBPCAP: ULOG iptables capturing Johan Verrept (Sep 12)
- Re: LIBPCAP: ULOG iptables capturing Guy Harris (Sep 12)
- Re: LIBPCAP: ULOG iptables capturing Johan Verrept (Sep 10)
- Re: LIBPCAP: ULOG iptables capturing Guy Harris (Sep 08)