| View previous topic :: View next topic |
| Author |
Message |
MrUlterior
Guru
Joined: 22 Mar 2005
Posts: 511
Location: Switzerland
|
 Posted: Thu Sep 12, 2013 9:13 pm Post subject: iptables -J NFLOG and tcpdump - much gnashing of teeth! |
 |
|
Out of curiosity I've been trying to log particular traffic on my LAN, so I've setup some iptables that include:
| Code: |
...
iptables -A FORWARD -m mac --mac-source XX:XX:XX:XX:XX:XX -j NFLOG --nflog-group 2
iptables -A FORWARD -p tcp -d 192.168.XXX.XXX -j NFLOG --nflog-group 2
iptables -A FORWARD -p udp -d 192.168.XXX.XXX -j NFLOG --nflog-group 2
...
iptables -A INPUT -p all -i wlan0 -j NFLOG --nflog-group 1
|
They work, when I fire up wireshark & point it at the NFLOG interface I can see all the interesting traffic logged.
But when I run:
| Code: |
tcpdump -i nflog:1 -w /home/nflog-1-${DUMP_LOG_DATE}.log
tcpdump -i nflog:2 -w /home/nflog-2-${DUMP_LOG_DATE}.log
|
I get:
| Code: | tcpdump: WARNING: SIOCGIFADDR: nflog:1: No such device
tcpdump: /home/nflog-0-20130912-230157.log: No such file or directory
tcpdump: WARNING: SIOCGIFADDR: nflog:2: No such device
tcpdump: /home/nflog-1-20130912-230157.log: No such file or directory |
What gives? I notice that wireshark runs dumpcap like this:
| Code: | | dumpcap -n -i nflog -y NFLOG -U zone |
So I tried a similar thing with tcpdump:
| Code: |
# tcpdump -i nflog -w /home/blah.log
tcpdump: Can't listen on group group index: Operation not permitted
|
tcpdump relies on libpcap (built with netlink support) and iptables itself seems to be built correctly:
| Code: |
# for M in iptables libpcap netfilter tcpdump; do eix -I $M; done
[I] net-firewall/iptables
Available versions: 1.4.6 1.4.10 ~1.4.10-r1 1.4.11.1-r2 ~1.4.12 1.4.12.1 ~1.4.12.1-r1 1.4.13 ~1.4.13-r2 ~1.4.14-r1 ~1.4.15-r1 ~1.4.16.2 1.4.16.3 ~1.4.17 {ipv6 netlink static-libs}
Installed versions: 1.4.16.3(22:19:59 09/12/13)(ipv6 netlink -static-libs)
Homepage: http://www.iptables.org/
Description: Linux kernel (2.4+) firewall, NAT and packet mangling tools
[I] net-libs/libpcap
Available versions: 1.1.1-r1 1.3.0-r1 {bluetooth canusb ipv6 netlink static-libs}
Installed versions: 1.3.0-r1(22:17:11 09/12/13)(ipv6 netlink -bluetooth -canusb -static-libs)
Homepage: http://www.tcpdump.org/
Description: A system-independent library for user-level network packet capture
[I] net-libs/libnetfilter_conntrack
Available versions: 1.0.0 ~1.0.1 1.0.2 {static-libs}
Installed versions: 1.0.2(00:33:22 02/23/13)(-static-libs)
Homepage: http://www.netfilter.org/projects/libnetfilter_conntrack/
Description: programming interface (API) to the in-kernel connection tracking state table
[I] net-analyzer/tcpdump
Available versions: 3.9.8 3.9.8-r1 ~4.1.1 ~4.2.0 ~4.2.1 4.3.0 {(+)chroot ipv6 (-)samba smi ssl suid test}
Installed versions: 4.3.0(22:19:22 09/12/13)(chroot ipv6 ssl -samba -smi -suid -test)
Homepage: http://www.tcpdump.org/
Description: A Tool for network monitoring and data acquisition
|
Heeeeelp! 
_________________
Misanthropy 2.0 - enough hate to go around
|
|
| Back to top |
|
 |
derzol
n00b
Joined: 17 Sep 2013
Posts: 1
|
| Posted: Tue Sep 17, 2013 3:05 pm Post subject: Re: iptables -J NFLOG and tcpdump - much gnashing of teeth! |
|
|
What gives? I notice that wireshark runs dumpcap like this:
| Code: | | dumpcap -n -i nflog -y NFLOG -U zone |
Perhaps:
| Code: | | dumpcap -i nflog:1 -w /home/nflog-1.pcap |
|
|
| Back to top |
|
|
|
Networking & Security
