Wireshark mailing list archives

Re: [Wireshark-users] capturing before/after firewall in Linux

From: "kapetr" <kapetr () mizera cz>
Date: Mon, 31 Dec 2012 08:40:48 +0100 (CET)

If I understand it correct, I would have to examine pcap file from ulogd and compare it with standard pcap form 
wireshark. It seems to be very hard work.

As I read in "man iptables"  * the ULOG target is as made for such case I'm searching.
Wireshark should offer such possibility to mark/colorize packets which are send to defined netlink socket (==ULOG 
target).

I would be surprised if such functionality would lack in wireshark.
Is it sure wireshark do not have it ?  

--kapetr

----- PŮVODNÍ ZPRÁVA -----
Od: "Jaap Keuter" <jaap.keuter () xs4all nl>
Komu: "Community support list for Wireshark" <wireshark-users () wireshark org>
Předmět: Re: [Wireshark-users] capturing before/after firewall in
Datum: 29.12.2012 - 17:44:35

Hi,

I think you should look into ulogd. ulogd is a userspace logging daemon for 
netfilter/iptables related logging. 
(http://www.netfilter.org/projects/ulogd/index.html). Using the 
ulogd_output_PCAP.so plugin you can have it write pcap files.

Thanks,
Jaap


On 12/28/2012 06:58 PM, kapetr wrote:

Hello,

I run Wireshark in Ubuntu 12.04.1 64b

If I see it correct - wireshark shows all incoming packet - even these, which are dropped by firewall (iptables).

1. is this so ?

2. by outgoing packets I expect it will be reversed: wireshark will not show packets dropped by FW  ?

[in other words: wireshark is bite between FW and NIC driver ?]

3. Is there a way to show in Wireshark ALL in/out packets AND mark (colorize) packets which are/will-be dropped by 
FW ?

[Wireshark would have to monitor also packets between FW and higher layer of system]

Thanks --kapetr


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

capturing before/after firewall in Linux kapetr (Dec 28)
- Re: capturing before/after firewall in Linux Jaap Keuter (Dec 29)
  - Re: [Wireshark-users] capturing before/after firewall in Linux kapetr (Dec 30)