Netfilter and Tcpdump

Netfilter and Tcpdump

[Sowmya Sridharan]

Hi,

I was analyzing some tcpdump data, and noticed that it also captured 
packets mangled by Netfilter hooks.
Theoretically I know that the pcap library takes off the packets from 
ethernet driver level and with the help of
the dynamic filters set by userspace, we are able to see those packets via 
tcpdump.

But aren't netfilter hooks attached at a higher level, namely the network 
stack? If so, then how is the pcap library able to
sniff those packets as well? Is it like the pcap library just holds a 
reference to the packets it takes from the driver, or
does it maintain a separate copy for displaying?

Any answers/clarifications would be much appreciated.

Thanks,
Sowmya
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110411/b754f68c/attachment.html 

Netfilter and Tcpdump

[Mulyadi Santosa]

Hi...

On Mon, Apr 11, 2011 at 13:02, Sowmya Sridharan
<sowmya.sridharan@tcs.com> wrote:
>
> Hi,
>
> I was analyzing some tcpdump data, and noticed that it also captured packets
> mangled by Netfilter hooks.

Those mangled packets, is it forwarded again to your monitored
interface? if yes, I think that's the answer...

-- 
regards,

Mulyadi Santosa
Freelance Linux trainer and consultant

blog: the-hydra.blogspot.com
training: mulyaditraining.blogspot.com