tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: LIBPCAP: ULOG iptables capturing

From: Johan Verrept <jove () exelsys be>
Date: Wed, 10 Sep 2003 23:07:33 +0200


That depends on the information supplied by the netlink stuff.  I
presume you get raw network-layer (IP, IPv6, IPX, etc.) packet data from
it.  It probably also supplies an indication of the network-layer
protocol, and perhaps other information.  What information does it
supply?
I haven't tried, but I think it are indeed raw packets. At least, when ulogd writes pcap files, it writes them with LINKTYPE_RAW. Except the packet itself, ulog provides a message structure containing timestamp info, which iptables hook captured the data, input and output device name, a MAC address and an arbitrary prefix which can be controlled by the rule. I am not sure whether all this information will always be supplied. For example if you capture the packet before routing, I doubt it will have the output device set. I guess the hook variable will determine which fields are valid. Which MAC address is supplied is also unclear, although it seems likely this is the source MAC. Since it is possible to get packets from different hooks on the same netlink group, I think only the raw packets can be guaranteed. 

        J.

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: