Re: How does packet capture interact with firewalls?

[Phil Vandry <vandry () TZoNE ORG>]

On Wed, 23 Sep 2009 16:38:06 -0400, Robert Burgess wrote:
> I guess I'm not sure.  What I want is a chain of these things so that
> each one waits for the previous to pass on the packet, and I don't want
> to tie myself down to the topology.  On a switched ether, for instance,

OK. That definitely makes it messier :-) But you can still avoid
recapturing your own output packets. One way to do it is to ignore
captured packets if the source MAC address is your own. Others on this
list probably know a better way though (unidirectional capture or
direction indication?).

I guess you are rewriting both the source and destination MAC address of
the packet before you reinject it anyway? You would have to do that in
order to direct the packet at the next hop in the chain (destination)
and keep the ethernet switch's MAC learning table consistent (source).

Or you could consider not using pcap at all. I don't know what your
application is but it's possible you could accomplish it just by
receiving and sending on raw IP sockets. That's also quite portable.

Good luck.

-Phil
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.