tcpdump mailing list archives
Re: LIBPCAP: ULOG iptables capturing
From: Guy Harris <guy () alum mit edu>
Date: Wed, 10 Sep 2003 14:13:08 -0700
On Sep 10, 2003, at 2:07 PM, Johan Verrept wrote:
That depends on the information supplied by the netlink stuff. Ipresume you get raw network-layer (IP, IPv6, IPX, etc.) packet data fromit. It probably also supplies an indication of the network-layer protocol, and perhaps other information. What information does it supply?I haven't tried, but I think it are indeed raw packets. At least, when ulogd writes pcap files, it writes them with LINKTYPE_RAW.
If you mean LINKTYPE_RAW as in the LINKTYPE_RAW in "savefile.c", that is, indeed, raw network-layer packet data - meaning you get no link-layer information, meaning no network-layer packet type.
Is it only logging IP packets? (I.e., no ARP, no non-IP network layer protocols such as IPX, etc.?)
Except the packet itself, ulog provides a message structure containing timestamp info, which iptables hook captured the data, input and output device name, a MAC address and an arbitrary prefix which can be controlled by the rule.
So is this similar to, for example, the OpenBSD pflog stuff? With that, you get:
an "address family" value for the packet (which the tcpdump and Ethereal code for pflog assumes is either AF_INET or AF_INET6, i.e. IPv4 or IPv6);
an interface name (presumably the interface on which the packet was received);
a rule number;
a reason code saying why the packet was logged;
the action taken by PF on the packet (passed, dropped, scrubbed);
a direction value (inout, in, out);
along with a time stamp (the standard libpcap-format time stamp).
If so, I'd be inclined to use the timestamp info for a libpcap
timestamp, and supply the rest of the information in a
DLT_ULOG/LINKTYPE_ULOG header, unprocessed. (Is that information
fixed-length or variable-length?)
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- LIBPCAP: ULOG iptables capturing Johan Verrept (Sep 06)
- Re: LIBPCAP: ULOG iptables capturing Guy Harris (Sep 08)
- Re: LIBPCAP: ULOG iptables capturing Johan Verrept (Sep 10)
- Re: LIBPCAP: ULOG iptables capturing Guy Harris (Sep 10)
- Re: LIBPCAP: ULOG iptables capturing Johan Verrept (Sep 11)
- Re: LIBPCAP: ULOG iptables capturing Guy Harris (Sep 11)
- Re: LIBPCAP: ULOG iptables capturing Johan Verrept (Sep 12)
- Re: LIBPCAP: ULOG iptables capturing Guy Harris (Sep 12)
- Re: LIBPCAP: ULOG iptables capturing Johan Verrept (Sep 10)
- Re: LIBPCAP: ULOG iptables capturing Guy Harris (Sep 08)