tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: stopping the packets from getting to kernel

From: "Mustafa Abu Sedera" <tifa_80 () hotmail com>
Date: Tue, 06 Jul 2004 22:40:48 +0000
Thanks to all who replied to my question...
your opinions were very useful..

Regards, Mustaffa Abu Sedira



From: "Fook Ming EE" <eeefm () singnet com sg>
To: "'Alberto Ornaghi'" <alor () antifork org>, "'Mustafa Abu Sedera'" <tifa_80 () hotmail com> 
CC: <tcpdump-workers () tcpdump org>, <libnet () securityfocus com>
Subject: RE: stopping the packets from getting to kernel
Date: Wed, 7 Jul 2004 00:13:26 +0800

You may need to write at API NIC Card level (LLC)to prevent interception
from OS kernel. Or your code need to operate at "Kernel Level"....

Cheers,

-----Original Message-----
From: Alberto Ornaghi [mailto:alor () antifork org]
Sent: Tuesday, July 06, 2004 11:19 PM
To: Mustafa Abu Sedera
Cc: tcpdump-workers () tcpdump org; libnet () securityfocus com
Subject: Re: stopping the packets from getting to kernel

Mustafa Abu Sedera wrote:
> For example.. I send a TCP SYN packet to some host X using libnet..then
> X replies with a SYN Ack...I capture this packet with libpcap and want
> to reply with a Ack but the kernel also gets a copy from it and
> immediately sends a reset because as for the kernel it is a Ack packet
> which he did not send the SYN for. So the TCP session gets destroyed..is
> there any way to hinder the packets captured by libpcap from reaching
> the kernel or is there any other idea on how to solve this issue???

you can write an iptables (or equivalent) rule to discard the packet. so
it will never reach your kernel.

bye
--

    --==> ALoR <==---------------------- -  -   -

  There are only 10 types of people in this world...
  Those who understand binary, and those who don't.





_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus 

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: