All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stef Coene <stef.coene@docum.org>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] netfilter passive monitoring
Date: Mon, 19 May 2003 18:41:13 +0000	[thread overview]
Message-ID: <marc-lartc-105336980826730@msgid-missing> (raw)
In-Reply-To: <marc-lartc-105335706510952@msgid-missing>

On Monday 19 May 2003 17:04, Padraig Brady wrote:
> Hi, I've a passive monitor setup with 3
> network interfaces. eth2 is the management (normal)
> interface while eth0 and eth1 are my monitoring
> interfaces which never transmit.
>
>
> -----+-----+--------
>
>      eth0  eth1
>
> so eth0 monitors the traffic one way on the link
> and vice versa for eth1 (we're using a netoptics tap).
>
> Anyway my question is I would like to pass all
> traffic received on eth0 and eth1 into netfilter.
> I thought by placing my rules in the PREROUTING
> chain of the mangle table would work, since this
> happens before any routing decision is made.
> But the packets are never received by netfilter :-(
>
> The packets are entering the box because you can
> see/filter them using iptraf.
>
> #iptables -t mangle -L PREROUTING -v
> Chain PREROUTING (policy ACCEPT 189K packets, 61M bytes)
>   pkts bytes target     prot opt in     out  source      destination
>
>      0     0            icmp --  eth0   any  anywhere    anywhere
>
>      0     0            icmp --  eth1   any  anywhere    anywhere
I think the nework cards are running in some sort of capture mode like if you 
run tcpdump.  So they capture all packets that are on the wire.  But 
iptables/netfilter only sees the packets entering the hosts.  So you can not 
use iptables/netfilter to monitor all paclets on the wire.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

  reply	other threads:[~2003-05-19 18:41 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-05-19 15:04 [LARTC] netfilter passive monitoring Padraig Brady
2003-05-19 18:41 ` Stef Coene [this message]
2003-05-19 22:12 ` Jussi Norlund
2003-05-20 14:47 ` Padraig Brady

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=marc-lartc-105336980826730@msgid-missing \
    --to=stef.coene@docum.org \
    --cc=lartc@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.