* [LARTC] netfilter passive monitoring
@ 2003-05-19 15:04 Padraig Brady
2003-05-19 18:41 ` Stef Coene
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Padraig Brady @ 2003-05-19 15:04 UTC (permalink / raw)
To: lartc
Hi, I've a passive monitor setup with 3
network interfaces. eth2 is the management (normal)
interface while eth0 and eth1 are my monitoring
interfaces which never transmit.
-----+-----+--------
| |
eth0 eth1
so eth0 monitors the traffic one way on the link
and vice versa for eth1 (we're using a netoptics tap).
Anyway my question is I would like to pass all
traffic received on eth0 and eth1 into netfilter.
I thought by placing my rules in the PREROUTING
chain of the mangle table would work, since this
happens before any routing decision is made.
But the packets are never received by netfilter :-(
The packets are entering the box because you can
see/filter them using iptraf.
#iptables -t mangle -L PREROUTING -v
Chain PREROUTING (policy ACCEPT 189K packets, 61M bytes)
pkts bytes target prot opt in out source destination
0 0 icmp -- eth0 any anywhere anywhere
0 0 icmp -- eth1 any anywhere anywhere
thanks,
Pádraig.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [LARTC] netfilter passive monitoring
2003-05-19 15:04 [LARTC] netfilter passive monitoring Padraig Brady
@ 2003-05-19 18:41 ` Stef Coene
2003-05-19 22:12 ` Jussi Norlund
2003-05-20 14:47 ` Padraig Brady
2 siblings, 0 replies; 4+ messages in thread
From: Stef Coene @ 2003-05-19 18:41 UTC (permalink / raw)
To: lartc
On Monday 19 May 2003 17:04, Padraig Brady wrote:
> Hi, I've a passive monitor setup with 3
> network interfaces. eth2 is the management (normal)
> interface while eth0 and eth1 are my monitoring
> interfaces which never transmit.
>
>
> -----+-----+--------
>
> eth0 eth1
>
> so eth0 monitors the traffic one way on the link
> and vice versa for eth1 (we're using a netoptics tap).
>
> Anyway my question is I would like to pass all
> traffic received on eth0 and eth1 into netfilter.
> I thought by placing my rules in the PREROUTING
> chain of the mangle table would work, since this
> happens before any routing decision is made.
> But the packets are never received by netfilter :-(
>
> The packets are entering the box because you can
> see/filter them using iptraf.
>
> #iptables -t mangle -L PREROUTING -v
> Chain PREROUTING (policy ACCEPT 189K packets, 61M bytes)
> pkts bytes target prot opt in out source destination
>
> 0 0 icmp -- eth0 any anywhere anywhere
>
> 0 0 icmp -- eth1 any anywhere anywhere
I think the nework cards are running in some sort of capture mode like if you
run tcpdump. So they capture all packets that are on the wire. But
iptables/netfilter only sees the packets entering the hosts. So you can not
use iptables/netfilter to monitor all paclets on the wire.
Stef
--
stef.coene@docum.org
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.oftc.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [LARTC] netfilter passive monitoring
2003-05-19 15:04 [LARTC] netfilter passive monitoring Padraig Brady
2003-05-19 18:41 ` Stef Coene
@ 2003-05-19 22:12 ` Jussi Norlund
2003-05-20 14:47 ` Padraig Brady
2 siblings, 0 replies; 4+ messages in thread
From: Jussi Norlund @ 2003-05-19 22:12 UTC (permalink / raw)
To: lartc
* Stef Coene <stef.coene@docum.org> [030519 20:49]:
> iptables/netfilter only sees the packets entering the hosts. So you can not
> use iptables/netfilter to monitor all paclets on the wire.
Try this patch.
http://www.scaramanga.co.uk/code-fu/netfilter-promisc.diff
I have not tried it myself, so if you decide to do that, I would be glad to hear the about your results.
Cheers,
Jussi
--
"To do is to be." - Socrates. "To be is to do." - Plato. "Skoo be do be do." - Sinatra.
1024D/805498C0
AC06 7251 B58B 7A3F 0168 758F 3252 F725 8054 98C0
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] netfilter passive monitoring
2003-05-19 15:04 [LARTC] netfilter passive monitoring Padraig Brady
2003-05-19 18:41 ` Stef Coene
2003-05-19 22:12 ` Jussi Norlund
@ 2003-05-20 14:47 ` Padraig Brady
2 siblings, 0 replies; 4+ messages in thread
From: Padraig Brady @ 2003-05-20 14:47 UTC (permalink / raw)
To: lartc
Jussi Norlund wrote:
> * Stef Coene <stef.coene@docum.org> [030519 20:49]:
>
>>iptables/netfilter only sees the packets entering the hosts. So you can not
>>use iptables/netfilter to monitor all paclets on the wire.
>
> Try this patch.
> http://www.scaramanga.co.uk/code-fu/netfilter-promisc.diff
>
> I have not tried it myself, so if you decide to do that, I would be glad to hear the about your results.
Joy.
thanks a lot!
Pádraig.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-05-20 14:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-05-19 15:04 [LARTC] netfilter passive monitoring Padraig Brady
2003-05-19 18:41 ` Stef Coene
2003-05-19 22:12 ` Jussi Norlund
2003-05-20 14:47 ` Padraig Brady
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.