From mboxrd@z Thu Jan 1 00:00:00 1970 From: Brad Tilley Subject: Re: Logging the whole packet Date: Tue, 23 Nov 2004 20:12:28 -0500 Message-ID: <41A3DFFC.2090109@vt.edu> References: <41A3B0A4.9020906@vt.edu> <20041123221206.GA3476@bender.817west.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20041123221206.GA3476@bender.817west.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@lists.netfilter.org Jason Opperisano wrote: >On Tue, Nov 23, 2004 at 04:50:28PM -0500, Brad Tilley wrote: > > >>Is it possible to log the packet body and not just the header? >> >>Currently I have this line in my iptables start-up file: >> >>/sbin/iptables -I INPUT -p tcp -s ! 128.173.120.79 -d 128.173.120.79 -j >>LOG --log-prefix="Packet_Filter:" >> >>And it generates log entries such as this: >> >>Nov 23 16:44:28 athop1 kernel: Packet_Filter:IN=eth0 OUT= >>MAC=00:30:6e:5e:a2:0c:00:d0:01:ab:44:00:08:00 SRC=64.81.214.131 >>DST=128.173.120.79 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=29621 DF >>PROTO=TCP SPT=60366 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 >> >>I'd like to capture the packet body as well. I'm new to packet logging >>so forgive me if I'm over looking the obvious. >> >> > >AFAIK, the normal LOG target cannot actually do this. instead, use the >ULOG target which will copy the entire packet to the userspace ulogd >daemon where you can use the ulogd_PCAP.so plugin to create a tcpdump >file of the packets you are interested in. check out: > > http://gnumonks.org/gnumonks/projects/project_details?p_id=1 > >for more details about ulogd. > >HTH... > >-j > >-- >"Television! Teacher, mother, secret lover." > --The Simpsons > > > > Thanks, that works great. I had to recompile the kernel to get ULOG support, but other than that, it's rather straightforward. I added this line to my iptables startup script: /sbin/iptables -I INPUT -p tcp -s ! 128.173.120.79 -d 128.173.120.79 -j ULOG --ulog-prefix "Packet_Filter:" I'm using the /usr/lib/ulogd/ulogd_OPRINT.so plugin to write the packet capture to a file for now. Here's a sample of what it looks like: ===>PACKET BOUNDARY tcp.fin=0 tcp.syn=1 tcp.rst=0 tcp.psh=0 tcp.ack=0 tcp.urg=0 tcp.window=64240 tcp.ackseq=0 tcp.seq=4245420361 tcp.dport=445 tcp.sport=2797 ip.fragoff=16384 ip.id=11011 ip.csum=2618 ip.ihl=5 ip.totlen=48 ip.ttl=111 ip.tos=0 ip.protocol=6 ip.daddr=128.173.120.79 ip.saddr=63.231.157.167 oob.out= oob.in=eth0 oob.mark=0 oob.time.usec=213408 oob.time.sec=1101257132 oob.prefix=Packet_Filter: raw.pktlen=48 raw.pkt=raw.mac=00:30:6e:5e:a2:0c:00:d0:01:ab:44:00:08:00 Now, all I need to do is figure out what's in the packet body. Any pointers on that? Ideally I'd like to write a script that recreates keystrokes from packets that contain ssh session info. Probably off-topic here, but I thought I'd ask. Thanks for the ULOG tip!